[10600] in bugtraq
ExLibris Aleph Web server Security Alert
daemon@ATHENA.MIT.EDU (Jakub Urbanec)
Fri May 21 12:39:46 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.3.95.990521120538.5618B-100000@satyr1.zcu.cz>
Date: Fri, 21 May 1999 12:08:00 +0200
Reply-To: Jakub Urbanec <urbanec@CIV.ZCU.CZ>
From: Jakub Urbanec <urbanec@CIV.ZCU.CZ>
To: BUGTRAQ@NETSPACE.ORG
We have found a security hole in web server bundled with Aleph librarian
system ver. 3.25 and higher (ExLibris). The web server in its default
configuration allows anybody to view any file in the system the aleph
instalation owner can access.
It it very simple to grab for example /etc/passwd file from Aleph web
server.
The bug with all details was already posted to ExLibris
and to some groups of Aleph users.
Workaround:
1) do not run web server as root at any circumstance!
2) use /etc/shadow or similar system
3) use tcpd wrappers for denying possible logins
4) watch logs from web server
Please spread this message to Aleph admins!
Jakub CUBA++ Urbanec
.....................................................................
Univerzitni 20 tel.:+420-19-7491538 Jakub Cuba++ Urbanec
306 14, Plzen http://home.zcu.cz/~urbanec LPS-CIV-ZCU
Czech Republic
---------- Forwarded message ----------
Date: Wed, 19 May 1999 11:25:59 -0400
From: "Larry W. Cashdollar" <lwcashd@BIW.COM>
To: BUGTRAQ@NETSPACE.ORG
Subject: IRIX midikeys root exploit.
Aleph1,
Please forgive me if this has already been on this list. I searched
geek-girl with no luck. I have been auditing our IRIX boxes and found what I
believe to be a new vulnerability.
On IRIX 6.5 systems (IRIX Release 6.5 IP28 )
# uname -a
IRIX64 devel 6.5 05190004
The setuid root binary midikeys can be used to read any file on the
system using its gui interface. It can also be used to edit anyfile on the
system. I was able to get from guest account access to root access using the
following procedure.
1) Choose an unpassworded account and telnet in. I like guest or lp.
devel 25% id
uid=998 gid=998(guest)
2) Execute the midikeys application with display set to your host.
devel 26% ./midikeys
devel 27% Xlib: extension "GLX" missing on display "grinch:0.0".
Xlib: extension "GLX" missing on display "grinch:0.0".
3) under the midikeys window click sounds and then midi songs. This will
open a file manager type interface.
4) You can enter the path and filename of files you which to read.
including root owned with group/world read/write permissions unset.
5) If you select a file like "/usr/share/data/music/README" it will
appear in a text editor. Use the text editor to open /etc/passwd and
make modifications at will. Save and enjoy.
So I removed the '*' from sysadm...
$ su sysadm
# id
uid=0(root) gid=0(sys)
devel 28% ls -l /usr/sbin/midikeys
-rwsr-xr-x 1 root root 218712 Jan 10 17:19 /usr/sbin/midikeys
I have tested this on 2 IRIX 6.5 hosts with success. A patch exists for
startmidi and stopmidi buffer overflows.
More info on previous patch:
ftp://sgigate.sgi.com/security/19980301-01-PX).
However, I didnt find any for midikeys.
-- Larry W. Cashdollar
UNIX/Security Operations.
Computer Sciences Corporation.
