CVE-1999-0044

Step 1: Identify Vulnerable System: The attacker identifies a system running a vulnerable version of IRIX and confirms the presence of the fsdump command.

Step 2: File Manipulation: The attacker crafts a malicious file or symbolic link, targeting a critical system file (e.g., /etc/passwd, /etc/shadow) or a file that fsdump will interact with.

Step 3: Trigger fsdump: The attacker executes the fsdump command, potentially providing crafted input to trigger the vulnerability. This could involve specifying the malicious file or symbolic link in a way that fsdump processes it.

Step 4: File Overwrite/Modification: fsdump, due to its flawed logic, either overwrites the targeted system file with the attacker's malicious content or modifies it in a way that grants the attacker root privileges (e.g., adding a new user with root privileges or modifying an existing user's privileges).

Step 5: Privilege Escalation: The attacker leverages the modified system file (e.g., by logging in with the newly created root user) to gain root access.

The vulnerability lies within the fsdump command's handling of file system metadata and permissions. Specifically, the command likely fails to properly validate or sanitize user-supplied input or file paths when restoring file system data. This could lead to a symlink attack or similar technique where an attacker can replace critical system files with malicious versions, or overwrite sensitive data. The root cause is a lack of proper input validation and insufficient permission checks, allowing a local user to manipulate the file system in a way that leads to privilege escalation.