Source: cve@mitre.org
Vulnerability in Desktop searchbook program in IRIX 5.0.x through 6.2 sets insecure permissions for certain user files (iconbook and searchbook).
Critical vulnerability in Silicon Graphics IRIX operating systems allows for privilege escalation due to insecure file permissions on user files associated with the desktop searchbook program. Successful exploitation grants an attacker unauthorized access to sensitive system information and potentially complete control of the compromised system.
Step 1: Identify Target System: The attacker identifies a target system running a vulnerable version of IRIX (5.0.x through 6.2).
Step 2: Locate Vulnerable Files: The attacker identifies the iconbook and searchbook files. These files are associated with the desktop searchbook program.
Step 3: Craft Malicious Payload: The attacker crafts a malicious payload, such as a shell script or compiled binary, designed to execute with elevated privileges.
Step 4: Overwrite Vulnerable Files: The attacker overwrites the iconbook and/or searchbook files with the crafted payload. Because of the insecure file permissions, the attacker can write to these files.
Step 5: Trigger Execution: The attacker triggers the execution of the malicious payload. This could be done by simply using the desktop searchbook program, or by other means.
Step 6: Privilege Escalation: The malicious payload executes with the privileges of the searchbook program, granting the attacker elevated access to the system.
The root cause lies in the desktop searchbook program's failure to properly secure the permissions of the iconbook and searchbook files. Specifically, these files are created with permissions that allow unauthorized users to read and potentially modify them. This allows an attacker to overwrite these files with malicious content. The vulnerability is a classic example of a privilege escalation flaw. The program, running with elevated privileges, creates files accessible by lower-privileged users. This allows for a malicious user to inject code or data that will be executed with the higher privileges of the searchbook program.
Due to the age of the vulnerability, it's unlikely to be directly associated with specific APT groups in current reports. However, any threat actor targeting legacy systems could leverage this. Not listed in CISA KEV.
Monitor file system activity for modifications to iconbook and searchbook files.
Analyze system logs for suspicious activity related to the desktop searchbook program.
Check file permissions on iconbook and searchbook files to ensure they are properly secured (e.g., owned by root and only accessible by root).
Network traffic analysis for any unusual activity originating from or destined to the affected IRIX systems.
Upgrade to a supported version of IRIX or a modern operating system. This is the most effective solution.
If upgrading is not possible, apply security patches provided by Silicon Graphics (if available).
Restrict access to the desktop searchbook program to only authorized users.
Change the file permissions of iconbook and searchbook files to be owned by root and only accessible by root. This prevents unauthorized modification.
Implement a host-based intrusion detection system (HIDS) to monitor for suspicious activity.
Regularly audit file permissions to ensure they are configured correctly.