COMMAND

    /usr/sbin/scanners

SYSTEMS AFFECTED

    IRIX 5.3

PROBLEM

    /usr/sbin/scanners,  GUI  tool  for  scanners  setup,   root-suid,
    contains an ugly and easily exploitable bug that allows any  local
    user to gain root priviledges.  It's part of Impressario package.

        strings /usr/sbin/scanners | grep SGIHELPROOT

    If string is found, your system is probably vulnerable.

    Bug  itself  is  pretty  lame.   scanners  runs  with  uid=0   and
    euid=luserid, and doesn't change uid before calling sgihelp.   And
    it's even more gullible than LicenceManager v1.0 -- it takes  path
    for  help  program  from  SGIHELPROOT  environment  variable.   So
    setting SGIHELPROOT to /tmp  and putting something called  sgihelp
    in /tmp,  then running  scanners and  selecting any  line in  Help
    menu will execute this something as root.  Pretty neat.  This  bug
    is brought to You by Yuri Volobuev.

SOLUTION

    chmod u-s /usr/sbin/scanners or patch (if avaible).