Advertisement






Irix Midikeys local root Vulnerability

CVE Category Price Severity
CVE-2001-1315 CWE-264 $3,000 High
Author Risk Exploitation Type Date
vade79 High Local 2018-09-20
CPE
cpe:cpe:/o:sgi:irix
CVSS EPSS EPSSP
CVSS:7.2/AV:L/AC:L/PR:L/UI:N/S:C/C:C/I:C/A:C 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2018090184

Below is a copy:

Irix Midikeys local root Vulnerability
This has been verified for IRIX 6.4 and 6.3 by other sources. Their has been a response from SGI here is the advisory. Aleph1 has compiled some very usefull information as well.

On IRIX 6.5 systems (IRIX Release 6.5 IP28 )

        # uname -a
        IRIX64 devel 6.5 05190004
The setuid root binary midikeys can be used to read any file on the system using its gui interface. It can also be used to edit anyfile on the system, or execute a rootshell by changing your editor environment variable to a command in the CDE. I was able to get from guest account access to root access using the following procedure. Any local account will do.

From an unpriviledged account (guest).
        devel 25% id
        uid=998 gid=998(guest)
2) Execute the midikeys application with display set to your host.

        devel 26% ./midikeys
        devel 27% Xlib:  extension "GLX" missing on display "grinch:0.0".
        Xlib:  extension "GLX" missing on display "grinch:0.0".
3) under the midikeys window click sounds and then midi songs. This will open a file manager type interface.

4) You can enter the path and filename of files you which to read. including root owned with group/world read/write permissions unset.

5) If you select a file like "/usr/share/data/music/README" it will appear in a text editor. Use the text editor to open /etc/passwd and make modifications at will. Save and enjoy.

So I removed the '*' from sysadm...

          $ su sysadm
          # id
          uid=0(root) gid=0(sys)

          devel 28%  ls -l /usr/sbin/midikeys
          -rwsr-xr-x    1 root     root      218712 Jan 10 17:19 /usr/sbin/midikeys
I have tested this on 2 IRIX 6.5 and 1 6.2 host with success.

To fix: # chmod -s /usr/sbin/midikeys

SGI addressed this issue in the following document:

ftp://sgigate.sgi.com/security/19990501-01-A

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum