Home page logo
/

bugtraq logo Bugtraq mailing list archives

Yet another (minor) SGI bug
From: joku () BTGIX8 BGI UNI-BAYREUTH DE (Joerg Kuemmerlen)
Date: Tue, 5 Aug 1997 14:36:29 +0000


Last Saturday I was cleaning up my web page directory, and
I found a 'index.html.N' file created by our new O2 (via NFS). Apparently
this is just a default home page 'outbox' was creating at the
time when I was first login onto the new O2 machine. Outbox was
even clever enough to realize that I already had a index.html and
was therefore writing the 'index.html.N' file.  I was
close to deleting it, when I thought I might have a look on
the content of that file ;-))

I was a little bit angry, when I read that mail might be send to
me under an email address like

        joku () O2internetaddress NISDoimainname

I was tracing down the bug to a few lines in the outbox shell script
located at :

/var/X11/xdm/firsttime/outbox

There one finds :

#
# compute hostname
#

host=`/usr/bsd/hostname`
if [ -x /usr/bin/domainname ] ; then
    hostonly=`echo $host | sed -e 's/\..*$//'`
    thisdomain=`/usr/bin/domainname`
    if [ "$thisdomain" != "" ] ; then
        server=$host.$thisdomain
    else
        server=$host
    fi
else
    server=$host
fi

This line does all the damage:

thisdomain=`/usr/bin/domainname`

$thisdomain will contain the NIS daomain name,if NIS is running on the
 machine.

The $server variable is finally used in the html file:

<p>Send <a href="mailto:$UserName () $server">email to me.</a>
<p>My machine is: <a href="/cgi-bin/MachineInfo">$host</a>

$server thus apparently contains the NIS domainname if NIS is running.


I guess that most of you know what to do in order to hack the
whole NIS domain once you have the NIS domain name ;-))

I was just crosschecking the whole thing with a few IRIX 6.3 and IRIX 6.4
machines running NIS and I found that the NIS domainname was written to
all default homepages *LOL*.
Furthermore I was checking a few O2 machines on the net - and again :
The NIS domain name could be found on the 'outbox' default homepages
of users, who most likely do not even know that they have a homepage
at all ;-)).
I guess the whole thing is a minor bug only: in most cases
I have checked NIS domain name and real domain name have
been identical (and easy to guess) anyway ;-))


Information has been sent to SGI Security headquarter and DFN-CERT


A few questions remain :

1.) Why has the domain name to be used ?? hostname would simply be enough.
2.) Do SGI software engineers think about their code at all ??
3.) Has all SGI software to be tested by users instead of SGI software
    engineers ??
4.) When will SGI stop this kind of WWW nonsense ??


Cheers
Joerg



--
*************************************************************************
*   Joerg Kuemmerlen                                    |               *
*   Bayerisches Geo-Institut                            | It's a        *
*   Universitaet Bayreuth                               | fulltime      *
*   D-95440 Bayreuth                                    | job for       *
*   Germany                                             | anyone        *
*                                                       | to stay       *
*   Tel.:  ++49-921-55 37 19                            | alive.        *
*   Fax :  ++49-921-55 37 69                            |               *
*   email: joku () uni-bayreuth de                         | J. Cocker     *
*   WWW: http://torech-ungol.bgi.uni-bayreuth.de/~joku  |               *
*************************************************************************



  By Date           By Thread  

Current thread:
  • Yet another (minor) SGI bug Joerg Kuemmerlen (Aug 05)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault