security hole in AIX 4.3.3

security hole in AIX 4.3.3

Post by fran » Fri, 12 Apr 2002 09:11:10



Some weeks ago I noticed a weird security hole on our AIX 4.3.3 machine.

Situation 1: a default user 'frank' (only default user rights, no
explicit administrative rights) was not able to create any user, change
users' settings or other administrative stuff with SMIT. That's just
what should happen!

Situation 2: the same user said "export DISPLAY="192.168.10.10:0"" and
thus redirected the screen to the linux box on 192.168.10.10. Then he
started SMIT from the command line and got the SMIT screen on the linux
box. xhost + has been executed on the linux box before.

Now, HERE he was able to do some actions, that generally only root can
do. I have been able to create new users as 'frank' logged in!! And I
was able to change user's details for any user, even root!

Note: root was NOT logged in, neither on the AIX machine nor on the
      linux box. And they have different passwords on both machines. It
      can't be something about password tunneling.

Unfortunately, I can't reproduce it this morning. The user that I've
created as 'frank' logged in still exists on the machine.

If this happens from time to time, it is a real security hole. I don't
know when it happens and why. The machine had been rebooted meanwhile,
maybe it does not occur any longer because of that.

And this happened only when using SMIT (motif gui), when using smitty
I got the correct error messages about not having the approbriate
user rights.

Does anyone know more about this?

Frank

--
Posted via dBforums
http://dbforums.com

 
 
 

1. Security Hole on webservers run on variuos OS, How to close UNIS hole

Hi,

I have written a program that enables me via the web, to access any file
(access is see it and download it) on a webservers hard drive. It
basically exlpores the drive (/ root downwards). Now the Apache Server
that run my program delivers the results to my browser. I wrote it
initailly to test the security of our account.

So what permissions should I use on our web directory:-

/usr/www/foobar

That will still allows the server to deliver the webpages and yet stop
people from other accounts from accessing it via chdir (telnet/ftp)?

We also hove home directoys that are not visible to the www called:-
/usr/home/foobar

Now my programs can access this directory too! So what sould I set the
file permissions too, again to stop other account holders with our ISP
from accessing it?

For the record my program traversed the enitire Disc that the web server
is running on. It was only denied access to a few directorys.

Also this mean that no logs are kept!! As my 2nd program called by the
first program, downloads the actual file to my browser and the only log
kept ofcousre is that someone ran the download program.

Is this what Goverments do to obtain without permission peoples files?:-

Say they are targetting http://www.foobar.co.uk, they can do this:-

1) Find out who the ISP is for http://www.foobar.co.uk
2) Buy a cgi account with the same ISP
3) Use a program like mine. (Will not give details publically)
4) Run the program and download the files including any within NON web
directorys.
--
Mark Worsdall
Home  :- shadowwebATworsdall.demon.co.uk
Any opinion given is my own personal belief...

2. fbsd+sendmail

3. BIG (!!) security-hole in AIX - react immediately

4. Kppp fails, UserNet works

5. AIX setuid/setgid security hole

6. Linux Frequently Asked Questions with Answers (Part 6 of 6)

7. AIX security holes

8. ioctls on LSM c-device files

9. best-of-security mailing list (was: Solaris 2.5 Security Hole: local users can get root)

10. Really serious security hole in Microport Unix (Re: SECURITY BUG IN INTERACTIVE UNIX SYSV386)

11. Security from outside call-ins

12. Netscape plug-ins on AIX 4

13. Java plug-ins for AIX