SOLARIS/CDE/DT cover up : dtspcd

Anthony C. Zboralski (anthony@SCT.FR)
Thu, 05 Jun 1997 05:37:48 +0200

Have you ever heard of the CDE Subprocess Control daemon..

dtspc 6112/tcp

Well i don't really like dt, it is slow and the only window manager i like
is Afterstep.. but one day when i logged on sol251.chump.flakes.org..
it was running DT and there was this ugly application manager.. you got
In the folder "Desktop Tools", i found this Xterm remote, terminal remote
icons..

One of them corresponded to xterm_dtspcd..

I launched it and, oh well, it requested a remote hostname..
i entered one that was on the same subnet... and it logged me in without
asking for a password even though .rhosts and hosts.equiv were supposed to
be restricted.. i looked around and found the guilty program:

/usr/dt/bin/dtspcd

aka CDE Subprocess Control daemon..

and it was enabled by default in inetd.conf...

Anyone has a CDE for linux or some other architectures
Solaris might not be the only one vulnerable.
There is a reference to HP/UX in the man page and CDE stands for Common
Desktop Environment.

look at the authentication scheme in the man page below.
The man page was last modified on April 4th 94.. 3 days too late for
april fool.

"What the eye don't see, the ear don't hear, the heart don't grieve
about."
C. Mc Cullough

--
Anthony C. Zboralski ACZ3 <frantic@sct.fr>
Immunis, 24, rue Vieille du Temple, 75004 Paris
Phone: +33 1 44 545 535, Fax: +33 1 42 775 649
KeyID 1024/ED8D8A39
Key fingerprint = C5 27 9A 0C 56 30 10 F9  9D 54 EE DB 2C 14 2A 78

dtspcd(1m) Maintenance Commands dtspcd(1m)

NAME dtspcd - CDE Subprocess Control Service

SYNOPSIS dtspcd [ -debug ] [ -log ] [ -auth_dir directory ] [ -timeout num_minutes ] [ -mount_point mount_point ]

DESCRIPTION The daemon for the CDE Subprocess Control service, dtspcd, is not intended to be started directly by the user, rather it should be started automatically by the inetd daemon (see inetd(1M)) in response to a CDE client requesting a process to be started on the daemon's host.

OPTIONS -auth_dir directory The default authentication directory is the user's $HOME directory. This option allows the system administrator to use a different directory. Note that directory must be exported to hosts wishing to use the dtspc service. directory - the name of the directory to use for authentication.

-timeout minutes By default, the dtspcd process will ter- minate if it does not have any activity (process start or process stop) for 10 minutes and dtspcd has no child processes running. To change the timeout, set minutes to the desired number of minutes. To force the daemon to not use a timer, set minutes to -1. minutes - the number of minutes for the timer.

-mount_point mount_point The file system's mount point is named mount_point. For example, mount_point could be "/net" or "/nfs". The daemon sets the environment variable DTMOUNTPOINT to the value of mount_point. This value of DTMOUNTPOINT will override all other definitions of DTMOUNTPOINT.

-log This option turns on logging of status information to the file /var/dt/tmp/DTSPCD.log. The information logged includes the name of the client host, the client's username, error

SunOS 5.5.1 Last change: 4 April 1994 1

dtspcd(1m) Maintenance Commands dtspcd(1m)

messages and the name of the file used for authentication. The default is to not do any logging.

-debug This option turns on logging of dtspc protocol to the file /var/dt/tmp/DTSPCD.log. The protocol information logged includes the name of the protocol and number of bytes in the request. The default is to not log the protocol.

AUTHENTICATION When a CDE client attempts to connect to a dtspcd daemon, the client sends the daemon its username. The daemon uses the username to determine the user's home directory on the daemon's host. The home directory is used during authenti- cation and it must be readable by the daemon and writable by the client. Therefore, the user's home directory on the daemon's host must be mounted to the client host. If the user's home directory is not readable and the -auth_dir com- mand line option is not used, the directory /var/dt/tmp will be used.

To use a directory other than the user's home directory for authentication, use the -auth_dir command line option.

CONFIGURATION The dtspcd daemon is an Internet service that must be registered in the file /etc/services as follows:

dtspc 6112/tcp

and in the file /etc/inetd.conf as follows:

dtspc stream tcp nowait root /usr/dt/bin/dtspcd/usr/dt/bin/dtspcd

ENVIRONMENT VARIABLE MANAGEMENT The CDE Subprocess Control service allows the user and sys- tem administrator to create files of environment variable definitions to be placed in the processes environment before a remote process is started. See dtspcdenv(4M) for more information.

OPERATING SYSTEM DEPENDENCIES On HP-UX, the file /usr/adm/inetd.sec may be used to control access to the dtspcd daemon. See inetd.sec(4) for more information.

FILES /usr/dt/bin/dtspcd The CDE Subprocess Control daemon

SunOS 5.5.1 Last change: 4 April 1994 2

dtspcd(1m) Maintenance Commands dtspcd(1m)

/etc/services The Internet service name data base

The CDE Subprocess Control daemon

SunOS 5.5.1 Last change: 4 April 1994 2

dtspcd(1m) Maintenance Commands dtspcd(1m)

/etc/services The Internet service name data base

/etc/inted.conf The inetd configuration file

/etc/dt/config/dtspcdenv System-wide, locally defined environment variable definitions used when a process is executed

/usr/dt/config/dtspcdenv System-wide, installed environment vari- able definitions used when a process is executed

$HOME/.dt/dtspcdenv User-specific environment variable defini- tions used when a process is executed

/var/dt/tmp/DTSPCD.log The dtspcd log file

DIAGNOSTICS Use the command line options -log and -debug (described above) to get diagnostic information.

SEE ALSO inetd(1M), services(4), inetd.conf(4), dtspcdenv(4M).

SunOS 5.5.1 Last change: (April Fool)+3 1994 3