If one does setenv DEBUG_CSETUP 1 and then runs csetup, it'll
create a file /usr/tmp/csetupLog, owned by root. Sure enough, it
follows symlinks, follows umask if file is nonexistant,
overwrites existing file keeping original permissions. csetup
will display a dialog window on startup, asking for root
password. However, one can press Cancel and it will proceed in
"read-only" mode. Perhaps it was considered to be enough
protection, so it doesn't bother dropping root priviledges.
The log file looks like:
Remote Host: xxx Address : xxx.xxx.xxx.xxx
Set Initial Timeout (objectserver) : 1
Get Lego objects Info
Finished Loading objects info
Networking Panel initialization complete!
Log file contains nice text, not just some binary crap. So from
the OS view point it's a shell script. sh will be invoked to
execute it, and it'll try to execute command called "Remote". So
we can overwrite some system binary and make some program running
as root execute it. But one has to have control over PATH for it
to be profitable. That's where Irix helps us. Some may remember
an old advisory about sgihelp, it was recommended that people
_remove sgihelp_ till patch is installed, pretty amazing, huh?
That's because all those GUI tools that run as root invoke
sgihelp without bothering to change uid first. Old sgihelp
didn't care if uid/euid=0, you can imagine what this means. New
one does drop root very early, but it doesn't solve the real
problem: many GUI tools calling external program while euid=0,
which is totally unnecessary.
So, do setenv DEBUG_CETUP 1, symlink /usr/tmp/casetupLog to
/usr/sbin/sgihelp, put infamous makesh called "Remote" first in
your PATH, run csetup. At this point sgihelp is nuked. Now
click on Help button, and enjoy. Remember to make a copy of real
sgihelp first.
Discovered by Jay (srinivas@t2.chem.umn.edu), Yuri Volobuev merely
helped him to finish off an exploit.