Bugtraq mailing list archives

Huge security hole in SDRC IDEAS MS6 cad system.

From: sow () CAD LUTH SE (Sven-Ove Westberg)
Date: Fri, 5 Jun 1998 14:27:44 +0200


Hi.

I have found a huge security hole with the SDRC's new CAD system IDEAS
Master Series 6. The now use the orbixd as an interface daemon and they
run it as root!! I looked at Internet and found that s they run the daemon
anyone can get root access or access as any user, from anyhost that can
acces the TCP/IP port on the machine.

Here is some references on security ond orbixd.
http://list-archive.qds.com/corba-dev-html.1997/1663.htmsl
http://www.iona.com/support/whitepapers/orbixsecurity/
http://tappi.me.tut.fi/~paavo/corba_docs/prguide/part2/chapter6/imprep10.html


The CAD system is the main CAD system at many big companies for example
Ford. I have sent out a waring to the mailing list for IDEAS users,  we have
also filed a bug report but SDRC seems to ignore the security of their
customers computers since we have not heard any thing from them.
SDRC did not supply you with any documentation on the orbixd just a script
that you should run as ROOT!!! I think that talks for it self.

Other systems may also use the orbixd look out for them.

This is the Orbix.cfg file.

 # Below are listed the main orbix environment configuration variables
 # and associated default values. An Orbix client, server or daemon will
 # use these values if, and only if, the relevant unix environment
 # variable is not defined.

 # the port number for the Orbix daemon:
 IT_DAEMON_PORT          1570

 # the starting port number for daemon-run servers:
 IT_DAEMON_SERVER_BASE   1590

 # the full path name of the error messages _file_:
 IT_ERRORS               $(SDRC_ORBIX_ROOT)/lib/ErrorMsgs

 # the full path name of the Implmentation Repository _directory_
 IT_IMP_REP_PATH         $(SDRC_ORBIX_SPOOL)/Repository

 # the full path name of the Interface Repository _directory_:
 IT_INT_REP_PATH         $(SDRC_ORBIX_SPOOL)/Interfaces

 # the full path name of the _directory_ holding the locator files:
 IT_LOCATOR_PATH         $(SDRC_ORBIX_SPOOL)/Locator

Did anyone know if I can run the orbixd under tcpwrapper?
What is the two ports for? Did it listen on two ports?

Regards,

--
Sven-Ove Westberg, CAD, University of Lulea, S-971 87 Lulea, Sweden.

Current thread:

CISCO PIX Vulnerability Damir Rajnovic (Jun 03)
- Re: CISCO PIX Vulnerability Rick Smith (Jun 10)
- <Possible follow-ups>
- Re: CISCO PIX Vulnerability David Wagner (Jun 03)
  - Re: CISCO PIX Vulnerability Damir Rajnovic (Jun 03)
  - FreeBSD Security Advisory: FreeBSD-SA-98:05.nfs Aleph One (Jun 04)
    - Re: FreeBSD Security Advisory: FreeBSD-SA-98:05.nfs matthew green (Jun 04)
  - Huge security hole in SDRC IDEAS MS6 cad system. Sven-Ove Westberg (Jun 05)
  - Security flaw in Accelerated-X 4.1 Stefan Laudat (Jun 08)
- Re: CISCO PIX Vulnerability Damir Rajnovic (Jun 05)
- Re: CISCO PIX Vulnerability Jamie Thain (Jun 20)