From proff  Thu Aug 15 11:01:53 1996
Received: (proff@localhost) by suburbia.net (8.7.4/Proff-950810) id LAA28326 for best-of-security; Thu, 15 Aug 1996 11:01:52 +1000
Received: from brimstone.netspace.org ([128.148.157.143]) by suburbia.net (8.7.4/Proff-950810) with ESMTP id KAA27927 for <proff@SUBURBIA.NET>; Thu, 15 Aug 1996 10:52:41 +1000
Received: from netspace.org ([128.148.157.6]) by brimstone.netspace.org with ESMTP id <25652-27444>; Wed, 14 Aug 1996 20:51:20 -0500
Received: from netspace.org (netspace [128.148.157.6]) by netspace.org (8.7/8.6.12) with SMTP id UAA29894; Wed, 14 Aug 1996 20:50:25 -0400
Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8b) with
          spool id 264522 for BUGTRAQ@NETSPACE.ORG; Wed, 14 Aug 1996 20:42:23
          +2000
Received: from netspace.org (netspace [128.148.157.6]) by netspace.org
          (8.7/8.6.12) with SMTP id UAA28719 for <BUGTRAQ@NETSPACE.ORG>; Wed,
          14 Aug 1996 20:40:28 -0400
Approved-By: ALEPH1@UNDERGROUND.ORG
Received: from antares.mcs.anl.gov (antares10.mcs.anl.gov [140.221.10.64]) by
          netspace.org (8.7/8.6.12) with SMTP id OAA22157 for
          <BUGTRAQ@NETSPACE.ORG>; Wed, 14 Aug 1996 14:13:49 -0400
Received: from bruise.mcs.anl.gov (bruise-cave.mcs.anl.gov [140.221.32.96]) by
          antares.mcs.anl.gov (8.6.10/8.6.10)  with SMTP id NAA03202 for
          <BUGTRAQ@NETSPACE.ORG>; Wed, 14 Aug 1996 13:13:36 -0500
X-Sender: nickless@antares.mcs.anl.gov
X-Mailer: Windows Eudora Pro Version 2.2 (32)
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Approved-By:  Bill Nickless <nickless@MCS.ANL.GOV>
Message-ID: <2.2.32.19960814180814.0069daa8@antares.mcs.anl.gov>
Date: 	Wed, 14 Aug 1996 13:08:14 -0500
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
Sender: proff
From: Bill Nickless <nickless@mcs.anl.gov>
Subject:      Re: IRIX 5.3 chost
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>

I did a little experimentation and found that there's another precondition
for this cadmin exploit to work.  You cannot have a desktopManager process
already running as you when you start the process.

First, verification that we're running the right patch levels and such:

flying% uname -a
IRIX flying 5.3 11091811 IP19 mips
flying% versions -b | cut -c35-199 | grep Patch
Patch SG0000172
Patch SG0000197
Patch SG0000426
Patch SG0000813: Provide icrash on 5.3
Patch SG0000852: SCSI roll up for 5.3 without XFS
Patch SG0000870: 5.3 EFS rollup patch for all 5.3 non-XFS releases
Patch SG0000900: rev 3.17 io4prom patch
Patch SG0000918: RE OpenGL Extensions, Aux Buffers, and Bug Fix Rollup
Patch SG0001020: Security fix for login and telnetd
Patch SG0001092: networking rollup, fixes for hangs on socket data, new mrouted
Patch SG0001096: Objectsystem & Removable Media Software roll up
Patch SG0001102: NFS roll-up
Patch SG0001116: 5.3/5.3XFS combined kernel roll up patch
Patch SG0001128: CERT VU 15781
Patch SG0001146: sendmail security bug in queue management
Patch SG0001157: Change hinv to recognize all IMPACT gfx
Patch SG0001324: Fix for security loophole in the desktop permissions panel
flying% cd /usr/Cadmin/bin
flying% ls -l cimport
-rwsr-xr-x    1 root     sys       161896 Apr  9 00:29 cimport
flying% sum cimport
62654 317 cimport
flying% df | grep nfs
cavesound:/usr/tmp          nfs 3052196 2725027  327169  89%  /mnt

Now for the exploit, run as a regular non-root user:

1. From any shell prompt: killall -9 desktopManager
2. From /usr/Cadmin/bin, run ./cadmin.
3. Click on "New" as if you were going to create a new NFS mount point.
4. A dialog window will appear asking for the root password.  Enter something
   other than the root password into the password field.  Click on "OK".
5. An error dialong window will appear warning that you have entered an
   incorrect password.  Click on "OK".
6. You are then returned to the root password-requesting dialong window.
   Click on "Cancel."
7. Doubleclick on the folder icon of the previously-mounted NFS filesystem.
   This will start a desktopManager process, ostensibly running as you the
   user, but actually running with some root priveleges.
8. In the top of the desktopManager window, replace the pathname of the
   previously-mounted NFS filesystem with /etc
9. Scroll down to passwd, doubleclick, and edit to your heart's content
   in the jot window that gets created.

Once again, the workaround shell script fragment than eliminates this exposure:

#!/bin/sh
# Exploit from http://www.eecs.nwu.edu/~jmeyers/bugtraq/1099.html
# will work even with the patches installed as of 13 August 1996.
# Accordingly, turning off the suid bits on the Cadmin programs.

for p in cexport cformat chaltsys chost chostInfo cimport clogin \
        cmidi configClogin cpeople cports cpuView csetup cswap \
        diskView tapeView videoView
do
        /bin/chmod u-s /usr/Cadmin/bin/$p
done
--
Bill Nickless              nickless@mcs.anl.gov               +1 630 252 7390
PGP 2.6.2 Key fingerprint =  0E 0F 16 80 C5 B1 69 52  E1 44 1A A5 0E 1B 74 F7
                 http://www.mcs.anl.gov/people/nickless