xnews and XDM

[hartmans () bga com (Sam Hartman)]

   From: "Vatsal P. Sonecha" <sonecha () eecs umich edu>
   Date: Wed, 20 Jul 1994 22:28:14 -0400 (EDT)
   X-Mailer: ELM [version 2.4 PL23]
   MIME-Version: 1.0
   Content-Type: text/plain; charset=US-ASCII
   Content-Transfer-Encoding: 7bit
   Content-Length: 891       
   Sender: bugtraq-owner () crimelab com
   Precedence: bulk

   What version of AIX would this be? And, I would be very appreciative 
   to find out where I can get an exploit script. 

   Thanks,
   Vatsal.

   |    __o      Vatsal P. Sonecha   |   Advanced Integrated Solutions, Inc.  |
   |  _ \<,_     Monal  V. Sonecha   |   3745 Greenbrier Blvd, Unit# 227-C    |
   | (_)/ (_)    Ph:  313.994.5748   |   Ann Arbor, MI 48105-2682             |
   |~~~~~~~~~~   FAX: 313.994.5758   |   United States of America             |


        I have 3.2.5, but I suspect the problem is
version-independent: any system running XDM and DPS should exhibit the
problem.

        To exploit the bug, you will want to use PostScript operators
like file, read, and write to modify /etc/security/passwd and remove
root's password.  

        I don't think AIX supports the pipe operator, but I don't know
for sure; if it does, then getting a root-owned aixterm is trivial.  

        Another simpler demonstration is to create an important
        How about tdocument owned by some user other than yourself,
How about this as an exploit: create a one-page PostScript ned by
someone else, unreadable by your user ID.  Then, run
/usr/lpp/DPS/bin/dpsexec and enter the following:

/showpage {} def
(/path/of/important/file.ps) run
quit

        Again, to close, just disable either DPS or XDM.

--Sam