Yet another (minor) SGI bug

Joerg Kuemmerlen (joku@BTGIX8.BGI.UNI-BAYREUTH.DE)
Tue, 05 Aug 1997 14:36:29 +0000

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Brian S. Julin: "Re: Vulnerability in Glimpse HTTP (fwd)"
Previous message: mhpower@MIT.EDU: "security hole in mget (in ftp client)"

Last Saturday I was cleaning up my web page directory, and
I found a 'index.html.N' file created by our new O2 (via NFS). Apparently
this is just a default home page 'outbox' was creating at the
time when I was first login onto the new O2 machine. Outbox was
even clever enough to realize that I already had a index.html and
was therefore writing the 'index.html.N' file. I was
close to deleting it, when I thought I might have a look on
the content of that file ;-))

I was a little bit angry, when I read that mail might be send to
me under an email address like

joku@O2internetaddress.NISDoimainname

I was tracing down the bug to a few lines in the outbox shell script
located at :

/var/X11/xdm/firsttime/outbox

There one finds :

#
# compute hostname
#

host=`/usr/bsd/hostname`
if [ -x /usr/bin/domainname ] ; then
hostonly=`echo $host | sed -e 's/\..*$//'`
thisdomain=`/usr/bin/domainname`
if [ "$thisdomain" != "" ] ; then
server=$host.$thisdomain
else
server=$host
fi
else
server=$host
fi

This line does all the damage:

thisdomain=`/usr/bin/domainname`

$thisdomain will contain the NIS daomain name,if NIS is running on the
machine.

The $server variable is finally used in the html file:

<p>Send <a href="mailto:$UserName@$server">email to me.</a>
<p>My machine is: <a href="/cgi-bin/MachineInfo">$host</a>

$server thus apparently contains the NIS domainname if NIS is running.

I guess that most of you know what to do in order to hack the
whole NIS domain once you have the NIS domain name ;-))

I was just crosschecking the whole thing with a few IRIX 6.3 and IRIX 6.4
machines running NIS and I found that the NIS domainname was written to
all default homepages *LOL*.
Furthermore I was checking a few O2 machines on the net - and again :
The NIS domain name could be found on the 'outbox' default homepages
of users, who most likely do not even know that they have a homepage
at all ;-)).
I guess the whole thing is a minor bug only: in most cases
I have checked NIS domain name and real domain name have
been identical (and easy to guess) anyway ;-))

Information has been sent to SGI Security headquarter and DFN-CERT

A few questions remain :

1.) Why has the domain name to be used ?? hostname would simply be enough.
2.) Do SGI software engineers think about their code at all ??
3.) Has all SGI software to be tested by users instead of SGI software
engineers ??
4.) When will SGI stop this kind of WWW nonsense ??

Cheers
Joerg

--
*************************************************************************
*   Joerg Kuemmerlen                                    |               *
*   Bayerisches Geo-Institut                            | It's a        *
*   Universitaet Bayreuth                               | fulltime      *
*   D-95440 Bayreuth                                    | job for       *
*   Germany                                             | anyone        *
*                                                       | to stay       *
*   Tel.:  ++49-921-55 37 19                            | alive.        *
*   Fax :  ++49-921-55 37 69                            |               *
*   email: joku@uni-bayreuth.de                         | J. Cocker     *
*   WWW: http://torech-ungol.bgi.uni-bayreuth.de/~joku  |               *
*************************************************************************

Next message: Brian S. Julin: "Re: Vulnerability in Glimpse HTTP (fwd)"
Previous message: mhpower@MIT.EDU: "security hole in mget (in ftp client)"