IRIX contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when inpview trusts the user environment and does not drop privileges. A malicious user can set the environment variable SUN_TTSESSION_CMD to "cp /bin/jsh /tmp/jsh;chmod 6755 /tmp/jsh;killall -9 inpview," which will execute with root permissions, thus allowing a regular user to drop a setuid and setgid shell to /tmp. This flaw leads to a loss of integrity.

The vendor has discontinued this product and therefore has no patch or upgrade that mitigates this problem. However, it is possible to fix this vulnerability by implementing the following workaround: remove the setuid bit from inpview.

chmod u-s /usr/lib/InPerson/inpview

• Security Tracker: 1012894
• Bugtraq ID: 12259
• Secunia Advisory ID: 13858
• ISS X-Force ID: 18894
• CVE ID: 2005-0113 (see also: NVD)
• Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-01/0470.html
• Other Advisory URL: http://www.idefense.com/application/poi/display?id=182&type=vulnerabilities
• Vendor URL: http://www.sgi.com/

• iDefense Labs - iDefense Labs