I tried reporting this to DEC, but because I didn't have a
software support agreement number handy, they wouldn't let me report
anything, then they placed me on hold for 30 minutes, then they
disconnected me.
Tip to DEC: Allow people to report security problems without paying for
software support. Or at least allow someone other than the
designated contact to report security problems.
Version Affected: Digital UNIX 4.0B *with* patch kit 5
Unpatched 4.0B is not vunerable to this particular
problem, but it is to others.
Impact: Local users may overwrite system files, and possibly obtain root.
Problem:
Patch kit 5 included a replacement xterm because the old one had a
bug, too. They replaced it with another that had a bigger problem. You
can cause a segmentation fault in xterm simply by setting your DISPLAY
variable to a display that you aren't allowed to connect to or one that
doesn't exist. Start xterm, and you get a core file.
Xterm is installed setuid root. I'm not 100% sure what happens,
since DEC doesn't release the source for patches. It does dump core at
XtOpenApplication(), however.
Even with a buffer overflow, I've never seen anyone exploit on one
DU. If anyone has done so sucessfully, plese email me. Despite that, a
person with basic knowledge of unix could easily do something like:
#/!bin/csh
cd /tmp
ln -s /etc/passwd /tmp/core
setenv DISPLAY abcdefghi
/usr/bin/X11/xterm
The contents of /etc/passwd becomes xterm's core, preventing
further logins. Obviously you could do things without an immediate impact
such as ln -s /vmunix /tmp/core.
Workaround:
Needless to say, change permissions on xterm, have the users run
dxterm, its better anyway.
___________________________________________________________________
Tom Leffingwell
University of Miami
(305) 284-1337
Systems Administrator Support Manager
Information Technology School of Business
Ungar 138 Jenkins 314M
___________________________________________________________________
Received on Wed Nov 12 1997 - 21:11:01 NZDT