Bugtraq mailing list archives
xnews and XDM
From: hartmans () bga com (Sam Hartman)
Date: Thu, 21 Jul 1994 22:23:58 -0500
From: "Vatsal P. Sonecha" <sonecha () eecs umich edu> Date: Wed, 20 Jul 1994 22:28:14 -0400 (EDT) X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 891 Sender: bugtraq-owner () crimelab com Precedence: bulk What version of AIX would this be? And, I would be very appreciative to find out where I can get an exploit script. Thanks, Vatsal. | __o Vatsal P. Sonecha | Advanced Integrated Solutions, Inc. | | _ \<,_ Monal V. Sonecha | 3745 Greenbrier Blvd, Unit# 227-C | | (_)/ (_) Ph: 313.994.5748 | Ann Arbor, MI 48105-2682 | |~~~~~~~~~~ FAX: 313.994.5758 | United States of America | I have 3.2.5, but I suspect the problem is version-independent: any system running XDM and DPS should exhibit the problem. To exploit the bug, you will want to use PostScript operators like file, read, and write to modify /etc/security/passwd and remove root's password. I don't think AIX supports the pipe operator, but I don't know for sure; if it does, then getting a root-owned aixterm is trivial. Another simpler demonstration is to create an important How about tdocument owned by some user other than yourself, How about this as an exploit: create a one-page PostScript ned by someone else, unreadable by your user ID. Then, run /usr/lpp/DPS/bin/dpsexec and enter the following: /showpage {} def (/path/of/important/file.ps) run quit Again, to close, just disable either DPS or XDM. --Sam
Current thread:
- xnews and XDM Sam Hartman (Jul 20)
- Re: xnews and XDM Vatsal P. Sonecha (Jul 20)
- xnews and XDM Sam Hartman (Jul 21)
- /etc/subnetconfig Aleph One (Jul 20)
- xnews and XDM Sam Hartman (Jul 21)
- Possible Ultrix issue A. Rich (Jul 21)
- Re: xnews and XDM Vatsal P. Sonecha (Jul 20)