ULTRIX 4.4 dxterm file linking hole

Summary

Description:	dxterm, which is suid root, allows the user to specify a file to log output too. Unfortunately it will follow a hardlink to append your stuff to files you shouldn't be able to write to.
Author:	Trevor Schroeder <tschroed@CHEETAH.WSC.EDU>
Compromise:	root (local)
Vulnerable Systems:	Ultrix 4.4, probably 4.5
Date:	26 June 1997

Details

Date: Thu, 26 Jun 1997 10:16:05 -0500
From: Trevor Schroeder <tschroed@CHEETAH.WSC.EDU>
To: BUGTRAQ@NETSPACE.ORG
Subject: Problem in dxterm (ULTRIX)

On ULTRIX 4.4 (most likely 4.5 as well), there's an enhanced xterm called
dxterm.  Normally it's setuid (doh!).  dxterm allows users to select a file to
log output to.  It's a trivial matter to link this file to another file and
since dxterm is running as root, it's very easy to append arbitrary data to
any file on the filesystem, even if not owned by the particular user.  It does
not seem to follow symlinks.

____________________________________________________________
"...because this little girl needs stuff."

Trevor Schroeder                    tschroed@cheetah.wsc.edu
------------------------------------------------------------

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:

All OS's	Linux	Solaris/SunOS	Micro$oft
*BSD	Macintosh	AIX	IRIX
ULTRIX/Digital UNIX	HP/UX	SCO	Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: