OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq archives for 2nd quarter (Apr-Jun) 1999: Re: Digital Unix 4.0E /var permission

Re: Digital Unix 4.0E /var permission

Jochen Thomas Bauer (jtbTHEO2.PHYSIK.UNI-STUTTGART.DE)
Tue, 6 Apr 1999 10:47:26 +0200

Hello,

On Sun, 4 Apr 1999 Harhalakis Stefanos wrote:
>On Digital Unix 4.0E with the latest patch kit aplied, after a new
>installation /var has g+w for group system.

This problem seems to exist in other versions of Digital Unix, too.
At least on Digital Unix 4.0c and 4.0d (Factory Installed Software,
no patches applied, CDE in use) /var, which in my case is a link to
/usr/var, has

drwxrwxr-x  28 root     system       512 Feb 11 12:58 /usr/var/

permissions. However, on Digital Unix 4.0b (Patch kit DUV40BAS00008-
19980821 applied, Software installed from CD, CDE in use) /usr/var
has

drwxr-xr-x  23 root     system       512 Feb 11  1998 /usr/var/

permissions.

>The whole thing is done while executing /sbin/rc3.d/S95xlogin and
>only if CDE is selected.

This does not seem to be the case for Digital Unix 4.0c and 4.0d.
There is no chmod of /var in /sbin/rc3.d/S95xlogin.

>Anyone that can crack any account with gid==system may exploit this
>(not tested but there should be no problem with mv'ing /var/sbin,
>/var/adm etc etc..).

Or do the following:
CDE's Xconfig file is a link from /var/dt/Xconfig to the actual config
file. Moving /var/dt and creating your own /var/dt, you could replace
the system Xconfig file with your own version which has the session
manager specification

Dtlogin*session:               /usr/dt/bin/Xsession

replaced with something more evil. Then just wait for root to
log in on the console....

--
Jochen Bauer
Institute for Theoretical Physics
University of Stuttgart
Germany

PGP public key available from:
http://www.theo2.physik.uni-stuttgart.de/jtb.html