Firewalls: Re: IRIX 5.2 Security Advisory

Firewalls
(August 1994)

Indexed By Thread: [Previous] [Next]

Subject:	Re: IRIX 5.2 Security Advisory - Mystery Solved
From:	"Jim Littlefield" <little @ ragnarok . hks . com>
Date:	Wed, 10 Aug 1994 08:05:34 -0400
To:	Paul Walmsley <ccshag @ sgi2 . phlab . missouri . edu>
Cc:	Dave Sill <de5 @ de5 . CTD . ORNL . GOV>, Steve Kotsopoulos <steve @ ecf . toronto . edu>, bugtraq @ crimelab . com, firewalls @ GreatCircle . COM, aqualung @ maria . wustl . edu, lear @ yeager . corp . sgi . com, olson @ anchor . esd . sgi . com, cert @ cert . org
In-reply-to:	Paul Walmsley <ccshag @ sgi2 . phlab . missouri . edu> "IRIX 5.2 Security Advisory - Mystery Solved" (Aug 9, 6:10pm)
References:	<Pine . 3 . 89 . 9408091710 . C6454-0100000 @ sgi2 . phlab . missouri . edu>

On Aug 9,  6:10pm, Paul Walmsley wrote:
:
: Found it.

You beat me to it...but not my much.

:
: The hole is essentially caused by two oversights in the SGI Help system
: - one being X accelerators (or keyboard shortcuts), the other being
: sgihelp's use of system() to pipe printer output elsewhere.

The only time the hole can be exploited is when sgihelp is running as root.
Clogin runs as root, of course. It may be possible to do the same thing via the
"System Manager" functions, although I have not checked (yet).

-- 

Jim Littlefield  <little @
 hks .
 com>      I prefer caffeine free, clear, diet Jolt.

References:

IRIX 5.2 Security Advisory - Mystery Solved
From: Paul Walmsley <ccshag @ sgi2 . phlab . missouri . edu>

Indexed By Date	Previous:	Re: spotting PROMISC on Solaris From: Paul Howell <grue @ engin . umich . edu>
Indexed By Date	Next:	Re: IRIX 5.2 Security Advisory From: "Perry E. Metzger" <perry @ imsi . com>
Indexed By Thread	Previous:	IRIX 5.2 Security Advisory - Mystery Solved From: Paul Walmsley <ccshag @ sgi2 . phlab . missouri . edu>
Indexed By Thread	Next:	Re: IRIX 5.2 Security Advisory From: max @ gac . edu