Source: cve@mitre.org
serial_ports administrative program in IRIX 4.x and 5.x trusts the user's PATH environmental variable to find and execute the ls program, which allows local users to gain root privileges via a Trojan horse ls program.
IRIX 4.x and 5.x systems are vulnerable to a critical local privilege escalation. The serial_ports administrative program insecurely uses the user's PATH environment variable to execute the ls command, enabling attackers to replace ls with a malicious program and gain root access.
Step 1: Payload Preparation: The attacker creates a malicious ls executable. This executable could be a simple shell script that executes a command to gain root privileges (e.g., chmod +s /bin/sh; /bin/sh).
Step 2: Environment Manipulation: The attacker sets the PATH environment variable to include a directory they control (e.g., /tmp) and ensures this directory comes before the system's /bin directory in the PATH.
Step 3: Payload Placement: The attacker places the malicious ls executable in the directory specified in their modified PATH (e.g., /tmp/ls).
Step 4: Triggering the Vulnerability: The attacker executes the serial_ports program. The serial_ports program, when it needs to execute ls, uses the attacker-controlled PATH variable to locate and execute the malicious ls program.
Step 5: Privilege Escalation: The malicious ls program executes, granting the attacker root privileges.
The vulnerability stems from a failure to properly sanitize the environment variables used by the serial_ports program. Specifically, the program trusts the user-controlled PATH variable to locate and execute the ls command. This creates a command injection vulnerability. By manipulating the PATH variable to point to a malicious ls executable located in a directory controlled by the attacker (e.g., /tmp), an attacker can execute arbitrary code with root privileges when serial_ports calls ls. The root cause is a lack of secure path resolution and a failure to validate the executables being called.
While specific APT groups are not directly linked to this vulnerability, it is a common attack vector for gaining initial access on vulnerable systems. This vulnerability is not listed in the CISA KEV catalog due to its age and the limited number of affected systems still in use.
Monitor system logs for unusual activity related to the serial_ports program.
Inspect the PATH environment variable of user accounts, looking for suspicious entries.
Analyze file system integrity, specifically looking for modified system binaries like ls.
Network monitoring for suspicious outbound connections from the affected system after the exploit is triggered.
Upgrade to a supported version of IRIX (if possible).
Remove or disable the serial_ports program if it is not required.
Carefully review and sanitize the PATH environment variable for all user accounts, ensuring that it does not include any untrusted directories.
Implement file integrity monitoring to detect unauthorized modifications to system binaries.
Restrict user access to the system and implement the principle of least privilege.
If the program is essential, rewrite the program to use absolute paths for all system calls, or to use a secure method of locating the ls program.