/usr/bin/X11/cdplayer, part of a standard Irix 5.3/6.2
installation, is suid and insecure. It can be used by any local
user for creating root-owned, world-writable arbitrarily named
directory anywhere on the system. Some other weaknesses of
standard Irix configuration allow to convert it to root
priviledges. And how to make that? Read following text which
describes exploit in funny way thanks to Yuri Volobuev.
Suid program that does file I/O always has something to offer.
First step, reading man page, shows that it stores CD catalogs
and programs in ~/.cddb directory. Well, let's see it working.
Put audio CD in the drive, run cdplayer. Looks nice. Let's make
a short CD description and look at what we have on the disk.
Indeed, ~/.cddb is there, but it's empty. Hm. ls -ld ~/.cddb.
Owned by root? Interesting. But harmless. What is the use of
root-owned ~/.cddb? But what did that man page say about
CDDB_WRITE_PATH? Yep, RTFMing always helps, now we have .cddb in
/etc. Let's see if catalog files themselves are root-owned.
Nope. And it refuses to overwrite anything. Too bad, it's
suid-aware and gives up root priorities. So it's still useless.
Now it is right time to use strings command.
strings /usr/bin/X11/cdplayer
As usually, out friend strings tells us many interesting facts.
For example, there are few strings that look like command line
options, particularly -dbcdir. Yep, these are valid options,
though not documented in man page. What -dbcdir does? Suddenly,
our abilities increase from creating .cddb anywhere to creating a
root-owned arbitrarily named directory anywhere. Not bad. But
how empty directory could be usefull? No way. And it's writable
only by root... hm. What permissions that directory has?
drwxr-xr-x -- why so? Wait a moment, what is our umask? Bull's
eye. umask 000; cdplayer -dbcdir /etc/test. drwxrwxrwx. Cool.
Some thinking reveals that indeed all that we have earned so far
is pretty useless -- on an ideal OS. But we deal with Irix,
which is pretty far from this nice state and more close to
opposite, user-friendly OS.
Some scientists say that humans only use fraction of their brain,
the rest is there but isn't being used. What is true about
humans is usually true about things that humans create, in
particular /etc/passwd files. Lets take a peek. Right near the
top, we see an interesting line
sysadm:*:0:0:System V Administration:/usr/admin:/bin/sh
wow. uid 0. But it's starred out. And home directory doesn't
exist. DOESN'T EXIST? He he. One call to our friend cdplayer,
and it does. Now what? .forward? Doesn't work, sysadm is in
/etc/aliases. More thinking and suddenly it strikes me - why I'm
so stupid? Why I first think about .forward, not about obvious
things?
echo "+ +" >/usr/admin/.rhosts
As fingers type, something is telling me that it's not going to
work. Yep, it doesn't, .rhosts have to be owned by the home
directory owner, i.e. sysadm. But we're almost there. Last
effort -- recall it's Irix, and it's user-friendly. Remember,
some time ago somebody on bugtraq (or was it linux-security?)
asked what is bad in giving away your own file. Well, here's a
live demo:
$host> chown root.sys /usr/admin/.rhosts
$host> rsh localhost -l sysadm
#