CVE-1999-1401

Step 1: Identify Vulnerable System: The attacker identifies a target system running IRIX 5.0.x through 6.2.

Step 2: Locate iconbook or searchbook: The attacker identifies the location of the iconbook and/or searchbook files, which are used by the desktop searchbook program.

Step 3: Gain Write Access: The attacker leverages the insecure file permissions to gain write access to the iconbook and/or searchbook files.

Step 4: Craft Malicious Payload: The attacker crafts a malicious payload (e.g., a shell script or compiled binary) designed to execute with elevated privileges when the searchbook program utilizes the modified files.

Step 5: Overwrite Target File: The attacker overwrites the iconbook and/or searchbook files with the malicious payload.

Step 6: Trigger Execution: The attacker triggers the execution of the searchbook program, which, in turn, executes the malicious payload due to the modified files.

Step 7: Privilege Escalation: The malicious payload executes with the privileges of the searchbook program, potentially granting the attacker root access or other elevated privileges.

The vulnerability lies within the desktop searchbook program in IRIX versions 5.0.x through 6.2. The program incorrectly sets permissions for the iconbook and searchbook files, making them accessible to unauthorized users. This allows attackers to overwrite these files with malicious content. The root cause is a failure to properly restrict access to these configuration files, leading to a privilege escalation scenario. Specifically, the program doesn't implement adequate access controls, allowing any user to modify files that are subsequently used by a privileged process. This lack of proper file permission management is the core of the vulnerability.