Bugtraq mailing list archives
SOLARIS/CDE/DT cover up : dtspcd
From: anthony () SCT FR (Anthony C. Zboralski)
Date: Thu, 5 Jun 1997 05:37:48 +0200
Have you ever heard of the CDE Subprocess Control daemon..
dtspc 6112/tcp
Well i don't really like dt, it is slow and the only window manager i like
is Afterstep.. but one day when i logged on sol251.chump.flakes.org..
it was running DT and there was this ugly application manager.. you got
In the folder "Desktop Tools", i found this Xterm remote, terminal remote
icons..
One of them corresponded to xterm_dtspcd..
I launched it and, oh well, it requested a remote hostname..
i entered one that was on the same subnet... and it logged me in without
asking for a password even though .rhosts and hosts.equiv were supposed to
be restricted.. i looked around and found the guilty program:
/usr/dt/bin/dtspcd
aka CDE Subprocess Control daemon..
and it was enabled by default in inetd.conf...
Anyone has a CDE for linux or some other architectures
Solaris might not be the only one vulnerable.
There is a reference to HP/UX in the man page and CDE stands for Common
Desktop Environment.
look at the authentication scheme in the man page below.
The man page was last modified on April 4th 94.. 3 days too late for
april fool.
"What the eye don't see, the ear don't hear, the heart don't grieve
about."
C. Mc Cullough
--
Anthony C. Zboralski ACZ3 <frantic () sct fr>
Immunis, 24, rue Vieille du Temple, 75004 Paris
Phone: +33 1 44 545 535, Fax: +33 1 42 775 649
KeyID 1024/ED8D8A39
Key fingerprint = C5 27 9A 0C 56 30 10 F9 9D 54 EE DB 2C 14 2A 78
dtspcd(1m) Maintenance Commands dtspcd(1m)
NAME
dtspcd - CDE Subprocess Control Service
SYNOPSIS
dtspcd [ -debug ] [ -log ] [ -auth_dir directory ] [
-timeout num_minutes ] [ -mount_point mount_point ]
DESCRIPTION
The daemon for the CDE Subprocess Control service, dtspcd,
is not intended to be started directly by the user, rather
it should be started automatically by the inetd daemon (see
inetd(1M)) in response to a CDE client requesting a process
to be started on the daemon's host.
OPTIONS
-auth_dir directory
The default authentication directory is
the user's $HOME directory. This option
allows the system administrator to use a
different directory. Note that directory
must be exported to hosts wishing to use
the dtspc service.
directory - the name of the directory to
use for authentication.
-timeout minutes
By default, the dtspcd process will ter-
minate if it does not have any activity
(process start or process stop) for 10
minutes and dtspcd has no child processes
running. To change the timeout, set
minutes to the desired number of minutes.
To force the daemon to not use a timer,
set minutes to -1.
minutes - the number of minutes for the
timer.
-mount_point mount_point
The file system's mount point is named
mount_point. For example, mount_point
could be "/net" or "/nfs". The daemon
sets the environment variable DTMOUNTPOINT
to the value of mount_point. This value
of DTMOUNTPOINT will override all other
definitions of DTMOUNTPOINT.
-log This option turns on logging of status
information to the file
/var/dt/tmp/DTSPCD.log. The information
logged includes the name of the client
host, the client's username, error
SunOS 5.5.1 Last change: 4 April 1994 1
dtspcd(1m) Maintenance Commands dtspcd(1m)
messages and the name of the file used for
authentication. The default is to not do
any logging.
-debug This option turns on logging of dtspc
protocol to the file
/var/dt/tmp/DTSPCD.log. The protocol
information logged includes the name of
the protocol and number of bytes in the
request. The default is to not log the
protocol.
AUTHENTICATION
When a CDE client attempts to connect to a dtspcd daemon,
the client sends the daemon its username. The daemon uses
the username to determine the user's home directory on the
daemon's host. The home directory is used during authenti-
cation and it must be readable by the daemon and writable by
the client. Therefore, the user's home directory on the
daemon's host must be mounted to the client host. If the
user's home directory is not readable and the -auth_dir com-
mand line option is not used, the directory /var/dt/tmp will
be used.
To use a directory other than the user's home directory for
authentication, use the -auth_dir command line option.
CONFIGURATION
The dtspcd daemon is an Internet service that must be
registered in the file /etc/services as follows:
dtspc 6112/tcp
and in the file /etc/inetd.conf as follows:
dtspc stream tcp nowait root /usr/dt/bin/dtspcd/usr/dt/bin/dtspcd
ENVIRONMENT VARIABLE MANAGEMENT
The CDE Subprocess Control service allows the user and sys-
tem administrator to create files of environment variable
definitions to be placed in the processes environment before
a remote process is started. See dtspcdenv(4M) for more
information.
OPERATING SYSTEM DEPENDENCIES
On HP-UX, the file /usr/adm/inetd.sec may be used to control
access to the dtspcd daemon. See inetd.sec(4) for more
information.
FILES
/usr/dt/bin/dtspcd
The CDE Subprocess Control daemon
SunOS 5.5.1 Last change: 4 April 1994 2
dtspcd(1m) Maintenance Commands dtspcd(1m)
/etc/services The Internet service name data base
The CDE Subprocess Control daemon
SunOS 5.5.1 Last change: 4 April 1994 2
dtspcd(1m) Maintenance Commands dtspcd(1m)
/etc/services The Internet service name data base
/etc/inted.conf
The inetd configuration file
/etc/dt/config/dtspcdenv
System-wide, locally defined environment
variable definitions used when a process
is executed
/usr/dt/config/dtspcdenv
System-wide, installed environment vari-
able definitions used when a process is
executed
$HOME/.dt/dtspcdenv
User-specific environment variable defini-
tions used when a process is executed
/var/dt/tmp/DTSPCD.log
The dtspcd log file
DIAGNOSTICS
Use the command line options -log and -debug (described
above) to get diagnostic information.
SEE ALSO
inetd(1M), services(4), inetd.conf(4), dtspcdenv(4M).
SunOS 5.5.1 Last change: (April Fool)+3 1994 3
Current thread:
- SOLARIS/CDE/DT cover up : dtspcd Anthony C. Zboralski (Jun 04)
- Re: SOLARIS/CDE/DT cover up : dtspcd Jon Trulson (Jun 05)