IRIX inpview Environment Variable Local Privilege Escalation
Local Access Required
Loss of Integrity
IRIX contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when inpview trusts the user environment and does not drop privileges. A malicious user can set the environment variable SUN_TTSESSION_CMD to "cp /bin/jsh /tmp/jsh;chmod 6755 /tmp/jsh;killall -9 inpview," which will execute with root permissions, thus allowing a regular user to drop a setuid and setgid shell to /tmp. This flaw leads to a loss of integrity.
The vendor has discontinued this product and therefore has no patch or upgrade that mitigates this problem. However, it is possible to fix this vulnerability by implementing the following workaround: remove the setuid bit from inpview.
chmod u-s /usr/lib/InPerson/inpview