SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Questions?
Want to learn about SecurityTracker? We've got answers to frequently asked questions right here
Sign Up!





Category:  Application (Generic)  >  Xkas Vendors:  Xinet
Xinet's 'xkas' AppleShare Administration Tool Discloses Any Local File Contents to Local Users
SecurityTracker Alert ID:  1003379
CVE Reference:  CAN-2002-0213   (Links to External Site)
Date:  Jan 28 2002
Impact:  Disclosure of system information, Disclosure of user information
Exploit Included:  Yes  
Advisory:  Hackerslab
Description:  Hackerslab reported a vulnerability in Xinet's 'xkas' AppleShare administration tool for UNIX systems. A local user can view files on the server with root privileges.

It is reported that when a local user shares a directory, the application creates the '.HSResource' directory and the '.HSicon' file. The '.HSicon' file is reportedly created by copying the '/var/adm/appletalk/icons/VOLICON' file. It is reported that the /var/adm/appletalk/icons directory is configured with 777 permissions (i.e., world read, write, and execute), allowing an unprivileged local user to create a symbolic link from the VOLICON file to another critical file on the server. Then, when a local user (the AppleShare administrator) invokes the 'xkas' application to share the directory, the application will copy the linked file to that directory (instead of the intended VOLICON file). The newly created '.HSicon' file may have world readable privileges.
Impact:  A local user may be able to view specific files on the server with root level privileges.
Solution:  No solution was available at the time of this entry.

The author of the report suggests, as a workaround, removing 'other' write permissions from the icons directory:

$ su -
# chmod o-w /var/adm/appletalk/icons
Vendor URL:  www.xinet.com/ (Links to External Site)
Cause:  Access control error, Configuration error
Underlying OS:  UNIX (SGI/IRIX), UNIX (Solaris - SunOS)
Underlying OS Comments:  Tested on IRIX 6.5; may also apply to Solaris because this product is available on Solaris.
Reported By:  s96192@ce.hannam.ac.kr
Message History:   This archive entry has one or more follow-up message(s) listed below.
Jun 11 2002 (SGI Issues Corrective Procedures) Re: Xinet's 'xkas' AppleShare Administration Tool Discloses Any Local File Contents to Local Users   (SGI Security Coordinator <agent99@sgi.com>)
SGI has issued a fix and has described corrective procedures.


 Source Message Contents
Date:  Mon, 28 Jan 2002 18:06:16 +0900 (KST)
From:  s96192@ce.hannam.ac.kr
Subject:  [ Hackerslab bug_paper ] Xkas application vulnerability

 

=============================================================================

       [ Hackerslab bug_paper ] Xkas application vulnerability

=============================================================================

File   : /usr/etc/appletalk/xkas application

SYSTEM : tested irix 6.5

INFO :

Xkas is a server administration tool for appleshare. Misconfiguration by the user with the root privi
lege could lead to a serious
 security vulnerability.

.HSResource directory and .HSicon file is created when sharing a directory. 
Creation of the HSicon file is accomplished by copying the /var/adm/appletalk/icons/VOLICON file. A p
roblem occurs during this process
 because the permission of /var/adm/appletalk/icons directory is set to 777 (world-writeable).
Link the wanted file with VOLICON like the following.

$ ls -al /var/adm/appletalk/icons
total 8
drwxrwxrwx    4 root     sys           57 Jan 25 03:12 .
drwxr-xr-x    6 root     sys         4096 Jan 24 16:05 ..
drwxr-xr-x    2 root  sys           9 Jan 25 03:12 .HSResource
lrwxr-xr-x    1 loveyou  user          11 Jan 25 03:05 VOLICON -> /etc/shadow

When the administrator uses the /usr/etc/appletalk/xkas directory to share the root  directory, the f
ollowing files are created in
 the root.
$ ls -al /
total 17099
drwxr-xr-x   37 root     sys          4096 Jan 25 03:30 .
drwxr-xr-x   37 root     sys          4096 Jan 25 03:30 ..
drwxr-xr-x    2 root     sys             9 Jan 25 03:30 .HSResource
-rw-r--r--    1 root     sys           786 Jan 25 03:30 .HSicon  
(etc..)

$ cat /.HSicon
root:y7floveyous30I:10908::::::
bin:yxaiFduxixe8s:11127::::::
uucp:*:11127::::::
sys:*:11127::::::
adm:*:11127::::::
loveyou:mXaa2jxi/ejY:10877::::::
(etc..)

SOLUTION :
Remove other-write permission, contact your vendor and get a patch.
$ su -
# chmod o-w /var/adm/appletalk/icons

==-------------------------------------------------------------------------==
       *********
   *    **   **    *
 *      **   **      *
*       *******       *                                          Kim Yong-Jun
 *      **   **      *                                 loveyou@hackerslab.org
   *    **   **    *                           [  http://www.hackerslab.org ]
       *********            HACKERSLAB (C)  since 1999
==-------------------------------------------------------------------------==
¿ëÁØ


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2002, SecurityGlobal.net LLC