[471] in Best-of-Security
BoS: Digital Unix Security Problem
daemon@ATHENA.MIT.EDU (Tom Leffingwell)
Sun Nov 16 02:24:33 1997
Delivered-To: best-of-security-mtg@menelaus.mit.edu
Date: Wed, 12 Nov 1997 14:51:40 -0500
Reply-To: Tom Leffingwell <tom@sba.miami.edu>
From: Tom Leffingwell <tom@sba.miami.edu>
Old-X-Originally-To: To: BUGTRAQ@NETSPACE.ORG
Old-X-Originated-From: From: Tom Leffingwell <tom@SBA.MIAMI.EDU>
Errors-To: best-of-security-request@cyber.com.au
To: best-of-security@cyber.com.au
Resent-From: best-of-security@cyber.com.au
I tried reporting this to DEC, but because I didn't have a
software support agreement number handy, they wouldn't let me report
anything, then they placed me on hold for 30 minutes, then they
disconnected me.
Tip to DEC: Allow people to report security problems without paying for
software support. Or at least allow someone other than the
designated contact to report security problems.
Version Affected: Digital UNIX 4.0B *with* patch kit 5
Unpatched 4.0B is not vunerable to this particular
problem, but it is to others.
Impact: Local users may overwrite system files, and possibly obtain root.
Problem:
Patch kit 5 included a replacement xterm because the old one had a
bug, too. They replaced it with another that had a bigger problem. You
can cause a segmentation fault in xterm simply by setting your DISPLAY
variable to a display that you aren't allowed to connect to or one that
doesn't exist. Start xterm, and you get a core file.
Xterm is installed setuid root. I'm not 100% sure what happens,
since DEC doesn't release the source for patches. It does dump core at
XtOpenApplication(), however.
Even with a buffer overflow, I've never seen anyone exploit on one
DU. If anyone has done so sucessfully, plese email me. Despite that, a
person with basic knowledge of unix could easily do something like:
#/!bin/csh
cd /tmp
ln -s /etc/passwd /tmp/core
setenv DISPLAY abcdefghi
/usr/bin/X11/xterm
The contents of /etc/passwd becomes xterm's core, preventing
further logins. Obviously you could do things without an immediate impact
such as ln -s /vmunix /tmp/core.
Workaround:
Needless to say, change permissions on xterm, have the users run
dxterm, its better anyway.
___________________________________________________________________
Tom Leffingwell
University of Miami
(305) 284-1337
Systems Administrator Support Manager
Information Technology School of Business
Ungar 138 Jenkins 314M
___________________________________________________________________
