Subject: [EXPL] LSD releases numerous exploit for IRIX Date: Wed, 9 Aug 2000 08:05:46 +0200 LSD releases numerous exploit for IRIX -------------------------------------------------------------------------------- SUMMARY The LSD group has decided to release previously unpublished exploit code for the IRIX operating system. Some of these exploits no longer work since patches have been published and applied, but some still work even when the latest patches are installed. DETAILS Exploits: [1] /usr/sbin/gr_osview IRIX 6.2 6.3 http://lsd-pl.net/files/get?IRIX/irx_gr_osview [2] libgl.so $HOME IRIX 6.2 http://lsd-pl.net/files/get?IRIX/irx_libgl [3] /sbin/pset IRIX 6.2 6.3 http://lsd-pl.net/files/get?IRIX/irx_pset2 [4] /usr/sbin/dmplay IRIX 6.2 6.3 http://lsd-pl.net/files/get?IRIX/irx_dmplay [5] /usr/bsd/rlogin IRIX 5.2 5.3 6.2 6.3 http://lsd-pl.net/files/get?IRIX/irx_rlogin [6] /bin/lpstat IRIX 6.2 6.3 http://lsd-pl.net/files/get?IRIX/irx_lpstat [7] /usr/lib/InPerson/inpview IRIX 6.5 6.5.8 http://lsd-pl.net/files/get?IRIX/irx_inpview The codes above are all buffer overflows except inpview. They can be exploited up to IRIX 6.3. This is due to the fact that IRIX 6.4 and up uses N32 ELF binary formats with 64 bit pointers on the stack. There are also some old codes exploiting known bugs. Some of them have already been published by other authors but didn't work as they should. [1] libXt.so -xrm IRIX 5.2 5.3 6.2 6.3 http://lsd-pl.net/files/get?IRIX/irx_libxt [2] truncate() IRIX 6.2 6.3 6.4 http://lsd-pl.net/files/get?IRIX/irx_truncate [3] libc.so $NLSPATH IRIX 6.2 http://lsd-pl.net/files/get?IRIX/irx_libc [4] /usr/bin/mail IRIX 6.2 6.3 http://lsd-pl.net/files/get?IRIX/irx_mail [5] libXaw.soinputMethod IRIX 6.2 http://lsd-pl.net/files/get?IRIX/irx_libxaw [6] arrayd IRIX 6.2 6.3 6.4 6.5 6.5.4 http://lsd-pl.net/files/get?IRIX/irx_arrayd Truncate "exploits" the bug in the code part of IRIX kernel handling xfs filesystem (truncate system call doesn't check for user creds). Mail was never published for IRIX, the same is true for libXaw which was only implemented for X11R6 on Linux. Arrayd is a classic example showing the state of the art in the security area done by SGI folks and the way they design authentication in software. The exploit code for it was never published before and should work also on Cray UNICOS 9.0.x.x 10.0.0.6 systems. The following exploits were published in very limited circles: [1] IRIX rpc.ttdbserverd IRIX 5.2 5.3 6.2 6.3 6.4 6.5 6.5.2 http://lsd-pl.net/files/get?IRIX/irx_rpc.ttdbserverd [2] Solaris rpc.ttdbserverd Solaris 2.3 2.4 2.5 2.5.1 2.6 sparc http://lsd-pl.net/files/get?SOLARIS/solsparc_rpc.ttdbserverd [3] Solaris rpc.cmsd Solaris 2.5 2.5.1 2.6 2.7 sparc http://lsd-pl.net/files/get?SOLARIS/solsparc_rpc.cmsd Contrary to the previously published versions of these exploits (sh -c command execution), these are capable to provide remote shell connection. To achieve that we use findsckcode which walks the descriptor table of an exploited process in a search for an established TCP connection. That TCP socket descriptor is then duplicated on stdin,stdout and stderr and /bin/sh is spawned. ADDITIONAL INFORMATION The information has been provided by ">LSD . All of these exploits can be found at: http://lsd-pl.net/vulnerabilities.html ======================================== DISCLAIMER: The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.