From: tar@math.ksu.edu (Tim Ramsey)
Newsgroups: alt.security
Subject: X11R5 xload security hole (was Re: Should /etc/utmp protection..)
Message-ID: <kd5icbINNk40@moe.ksu.ksu.edu>
Date: 15 Sep 91 02:46:35 GMT
References: <1991Sep10.101134.14482@donau.et.tudelft.nl> <1991Sep11.115213.1453@eua.ericsson.se> <kd3ftoINNhk <1991Sep14.100217.850@fwi.uva.nl>
Organization: Kansas State University

casper@fwi.uva.nl (Casper H.S. Dik) writes:

[ ... ]

>Use trace on xload/xterm and look in the first few lines at the directories
>being opened. If it says something like 'open("../lib/..")', then you're
>in trouble.

einstein# trace /usr/bin/X11/xload
open ("/usr/lib/ld.so", 0, 061210) = 3
read (3, "".., 32) = 32
mmap (0, 40960, 0x5, 0x80000002, 3, 0) = 0xf77e0000
mmap (0xf77e8000, 8192, 0x7, 0x80000012, 3, 32768) = 0xf77e8000
open ("/dev/zero", 0, 07) = 4
getrlimit (3, 0xf7fff950) = 0
mmap (0xf7800000, 8192, 0x3, 0x80000012, 4, 0) = 0xf7800000
close (3) = 0
getuid () = 0
getgid () = 1
open ("/etc/ld.so.cache", 0, 05000100021) = 3
fstat (3, 0xf7fff7f0) = 0
mmap (0, 4096, 0x1, 0x80000001, 3, 0) = 0xf77c0000
close (3) = 0
open ("../.././lib/Xaw", 0, 01010525) = -1 ENOENT (No such file or directory)
open ("../.././lib/Xmu", 0, 01010525) = -1 ENOENT (No such file or directory)
open ("../.././lib/Xt", 0, 01010525) = -1 ENOENT (No such file or directory)
open ("../.././extensions/lib", 0, 01010525) = -1 ENOENT (No such file or directory)
open ("../.././lib/X", 0, 01010525) = -1 ENOENT (No such file or directory)

<RAINMAN mode on>

Auuugggghhh!!!  <pounds head>

<RAINMAN mode off>

So it seems.  Sorry, looks like X11R5 installs xload insecurely under
SunOS 4.1.1.  Time to recompile with -DUSE_INSTALLED.  Time for another
CERT announcement, too.

--
Tim Ramsey/system administrator/tar@math.ksu.edu/(913) 532-6750/2-7004 (FAX)
Department of Mathematics, Kansas State University, Manhattan KS  66506-2602