serial_ports administrative program in IRIX 4.x and 5.x trusts the user's PATH environmental variable to find and execute the ls program, which allows local users to gain root privileges via a Trojan horse ls program.
IRIX 4.x and 5.x systems are vulnerable to a critical local privilege escalation via the serial_ports administrative program. This vulnerability allows attackers to gain root access by exploiting the program's insecure handling of the user's PATH environment variable, enabling the execution of a malicious ls program. Successful exploitation grants complete control over the compromised system.
Step 1: Payload Delivery: The attacker creates a malicious ls executable. This executable is crafted to perform actions that elevate the attacker's privileges, such as setting the effective user ID (setuid) to root or executing a shell with root privileges.
Step 2: Path Manipulation: The attacker sets their PATH environment variable to include a directory where they have placed their malicious ls executable. This directory is typically one the attacker controls, such as their home directory.
Step 3: Triggering the Vulnerability: The attacker interacts with the serial_ports program. This interaction triggers the program to execute the ls command, which is used internally by serial_ports.
Step 4: Malicious Execution: Because of the manipulated PATH variable, the serial_ports program executes the attacker's malicious ls executable instead of the legitimate system ls command.
Step 5: Privilege Escalation: The malicious ls executable executes with the privileges of the serial_ports program, which is often running with root privileges. This allows the attacker to gain root access to the system.
The vulnerability stems from a path traversal issue within the serial_ports program. The program, when attempting to execute the ls command, relies on the user-defined PATH environment variable to locate the executable. It does not perform proper input validation or sanitization on the PATH variable. An attacker can manipulate the PATH variable to include a directory under their control, where they have placed a malicious ls executable. When serial_ports attempts to execute ls, it will execute the attacker's malicious version instead, granting the attacker root privileges.