HPE Community
Operating System - HP-UX
1829105 Members
3078 Online
109986 Solutions
New Discussion

xterm has setuid enabled

 
Herman Vanbrussel
Advisor

‎07-26-2005 08:38 PM

‎07-26-2005 08:38 PM

xterm has setuid enabled

If you have a user belonging only to the group users you still can execute, read and write to files not belonging to the users group if you launch xterm.

Some details to help you:
user u7514434 specifics:
[/tmp] whoami
u7514434
[/tmp] id
uid=7514434(u7514434) gid=20(users)

Another user's specifics:
[/tmp] whoami
dmsys
[/tmp] id
uid=124(dmsys) gid=150(dmtool)

I have a script with the following security settings:
-rwxr-xr-- 1 dmsys dmtool 20 Jul 27 10:08 /tmp/test.sh
So only dmsys can launch and change the script and only users of group dmtool can launch the script but not change it. This script only echoes "test" to the screen.

Now I login as u7514434 and launch xterm like this:
LOGNAME=dmsys /usr/bin/X11/xterm

Then I do the following:
[/tmp] whoami
u7514434
[/tmp] id
uid=7514434(u7514434) gid=20(users) groups=150(dmtool)
[/tmp] ./test.sh
test


Oeps, suddenly I belong to the group dmtool and can launch the script. I cannot change its contents.

If however I use /usr/contrib/bin/X11/xterm instead of /usr/bin/X11/xterm then I'm not able to hack into the dmtool group.

Other things to know:
HP-UX B.11.11 U 9000/800
[/tmp] ll /usr/bin/X11/xterm
-r-sr-xr-x 1 root bin 663552 Apr 16 2004 /usr/bin/X11/xterm
[/tmp] ll /usr/contrib/bin/X11/xterm
-r-sr-xr-x 1 root bin 385024 Nov 14 2000 /usr/contrib/bin/X11/xterm

For both version of xterm the setuid is active. Why is this?

Thanks for any reply.
Herman.
0 Kudos
Reply
1 REPLY 1
Matti_Kurkela
Honored Contributor

‎07-27-2005 01:11 AM

‎07-27-2005 01:11 AM

Re: xterm has setuid enabled

Hmm, looks like PHSS_30791 is related to this problem. I can reproduce the vulnerability with it, but with an older patchlevel it seems to be not vulnerable.

Xterm needs setuid root only for marking the session to /etc/utmp. You can remove the setuid bit to avoid the vulnerability, but then commands that use utmp (like "w", "write" and "talk" for example) lose some functionality for xterm sessions.
MK
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.