COMMAND

    kdebugd

SYSTEMS AFFECTED

    True64 up to 5.0

PROBLEM

    Following is based on Enigma Security Advisory.  The kdebug daemon
    can be exploited by remote users to open and display the  contents
    of any file  on the system.  It can also  be used to  write to the
    beginning of  any file  on the  system overwriting  data which was
    previously there.

    When  a  connection  is  initiated  with  the  kdebug  daemon,  an
    initialisation  packet  is  sent,  which  consists of two strings:
    "kdebug" (or another permissible entry found in /etc/remote),  and
    an optional  file location  for the  session to  be recorded into.
    The problem  is that  this file  location can  be any  file on the
    system, and  is modified  with root  privileges.   An attacker can
    specify  a  file  such  as  /etc/hosts.equiv in the initialisation
    packet, and then  subsequent data which  is written by  the client
    will also be written to  this file. As mentioned previously,  data
    that is written  to the file  is written to  the beginning of  the
    file and not the end,  some superfluous data is also  prepended by
    the kdebug daemon, which means passwd file entries and some  other
    similar types of  attacks on files  with strict syntax  can not be
    performed.  Furthermore, it  appears that kdebugd will  only write
    to files which already exist on the system.

    This bug can also  be exploited for reading  any file on the  file
    system.   This  is  achieved  by  sending an initialisation packet
    specifying the  debug file  as /etc/remote,  a file  which kdebugd
    interrogates when processing  initialisation packets.   The client
    can then send  subsequent data that  contains a valid  /etc/remote
    entry.  Each entry in /etc/remote  has a file which is read  from.
    In the  case of  the "kdebug"  entry, it  is /dev/ttys00.   When a
    client is writing  new a new  entry with this  vulnerability, they
    can specify a  file such as  /etc/passwd, and then  initiate a new
    connection  to  kdebug,  requesting  their  new  entry  instead of
    "kdebug".  The /etc/passwd file  in this case would be  opened and
    written  to  the  socket,  allowing  the  client  to  see the full
    contents of the file.  Once again, with root privileges.

SOLUTION

    Compaq has  said that  the vulnerability  exists up  to Tru64 5.0,
    and that a fix is currently being developed and is expected to  be
    available in  the initial  patch kit  for Tru64  UNIX V5.1.   As a
    workaround in  the meantime,  it is  recommended that  the kdebugd
    service be disabled by removing it from /etc/inetd.conf.