Digital Unix Security Problem

Tom Leffingwell (tom@sba.miami.edu)
Wed, 12 Nov 1997 14:51:40 -0500

I tried reporting this to DEC, but because I didn't have a
software support agreement number handy, they wouldn't let me report
anything, then they placed me on hold for 30 minutes, then they
disconnected me.

Tip to DEC: Allow people to report security problems without paying for
software support. Or at least allow someone other than the
designated contact to report security problems.

Version Affected: Digital UNIX 4.0B *with* patch kit 5
Unpatched 4.0B is not vunerable to this particular
problem, but it is to others.

Impact: Local users may overwrite system files, and possibly obtain root.

Problem:

Patch kit 5 included a replacement xterm because the old one had a
bug, too. They replaced it with another that had a bigger problem. You
can cause a segmentation fault in xterm simply by setting your DISPLAY
variable to a display that you aren't allowed to connect to or one that
doesn't exist. Start xterm, and you get a core file.

Xterm is installed setuid root. I'm not 100% sure what happens,
since DEC doesn't release the source for patches. It does dump core at
XtOpenApplication(), however.

Even with a buffer overflow, I've never seen anyone exploit on one
DU. If anyone has done so sucessfully, plese email me. Despite that, a
person with basic knowledge of unix could easily do something like:

#/!bin/csh
cd /tmp
ln -s /etc/passwd /tmp/core
setenv DISPLAY abcdefghi
/usr/bin/X11/xterm

The contents of /etc/passwd becomes xterm's core, preventing
further logins. Obviously you could do things without an immediate impact
such as ln -s /vmunix /tmp/core.

Workaround:

Needless to say, change permissions on xterm, have the users run
dxterm, its better anyway.

___________________________________________________________________

Tom Leffingwell
University of Miami
(305) 284-1337

Systems Administrator Support Manager
Information Technology School of Business
Ungar 138 Jenkins 314M
___________________________________________________________________