X security hole- how to fix?

X security hole- how to fix?

Post by Thomas B. F » Sat, 21 Sep 1996 04:00:00



Hello all.

I recently setup a FreeBSD 2.1.5R machine that serves up www, ftp,
dns, and popmail. I have been tinkering with eXodus on my win95
machine to run xclients from the bsd machine.  I noticed that no
matter who I login as on the bsd machine when I start an xterm to
another machine (such as my 95 machine) that xterm has root
access. Obviously this is a BIG problem, how can I fix it? No one
besides myself and our other MIS guy will have access to shell
anyways, but I'd still like to plug the hole before it starts leaking.

Thanks in advance!

Tom

 
 
 

X security hole- how to fix?

Post by Frederic G. MARA » Thu, 26 Sep 1996 04:00:00


Quote:>I recently setup a FreeBSD 2.1.5R machine that serves up www, ftp,
>dns, and popmail. I have been tinkering with eXodus on my win95
>machine to run xclients from the bsd machine.  I noticed that no
>matter who I login as on the bsd machine when I start an xterm to
>another machine (such as my 95 machine) that xterm has root
>access. Obviously this is a BIG problem, how can I fix it? No one
>besides myself and our other MIS guy will have access to shell
>anyways, but I'd still like to plug the hole before it starts leaking.

I think the standard solution would be not to run xterm per se, but
with a limiting argument, such as: xterm -e /bin/login Failure to
login will close the xterm, and success will give the user the
identity he is allowed to have.

Alternatively, if you want to provide access to an application, you
may use the same "-e" system and use a setuid/setgid application that
will set UID and/or GID to the user/group you chose before starting
the xterm.

 
 
 

X security hole- how to fix?

Post by J Wuns » Sun, 29 Sep 1996 04:00:00



Quote:>   I noticed that no
> matter who I login as on the bsd machine when I start an xterm to
> another machine (such as my 95 machine) that xterm has root
> access.

You must have screwed something.  But you didn't tell us what.

--
cheers, J"org


Never trust an operating system you don't have sources for. ;-)

 
 
 

1. pwdauthd pwdauth() - Source Wanted in order to fix security hole.

     A while back someone scarfed our password file, ran a cracker against it,
and compromised several hundred accounts.  Before we could get that cleaned up
they managed to hack root access and remove our device files.

     So, at that point I went to Sun's idea of C2 security, primarily for the
shadow password feature, only Sun's implementation sucks.

     Seems that anybody in the world can through RPC's access pwdauthd and use
it to "guess" at accounts.  This became apparent when the system slowed to a
crawl and the CPU time pwduathd used went through the roof.  So I blocked that
port in the router.

     The person then obtained a legitimate account and proceeded to run a
cracker that called pwdauth locally.  They put a small delay between calls so
that it didn't totally max out the CPU.  Even so they managed to compromise at
least 30 more accounts and bog the system so bad that legitimate users couldn't
get on.  That individual is tossed off, but who knows how many accounts they
have access to that I don't know about.

     What I want to do is create a pwdauthd and pwdauth system call that will
only work if the effective UID is root, otherwise return a no-match condition
even if the password is correct (so they won't know they're talking to a
modified daemon/system call).

     I don't know a lot about RPC's so I was hoping not to have to invent this
wheel from scratch, ie, I was hoping I could find source that I could modify.

2. Can't get past log on screen in Caldera 2.4

3. Security Hole Fix?

4. Tricky PPP server problem

5. fix for HUGE SECURITY HOLE in syslog?

6. Linux Firewall

7. Tools to fix security holes

8. Problem installing Netscape 4.6.1

9. Security hole fix

10. runpipe v1.2 with security hole fix

11. Fix for /bin/login security hole.

12. InfoMagic Mar95 wu.ftpd security hole fix.

13. How do I fix this mile wide security hole?