[ SOURCE: http://www.secureroot.com/security/advisories/9693915986.html ] _____________________________________________________________________ ENIGMA SECURITY ADVISORY A division of ITAC: Leaders in IT Security (http://enigma.itaudit.com.au) Digital UNIX kdebugd remote Vulnerability _____________________________________________________________________ Title: kdebugd service file vulnerability Bug ID: EN18090001 Affected: Digital UNIX 4.0F, other versions believed to be as well but untested. Compromise: Any file on the system can be read from or written to as root, possibly resulting in remote root access being obtained. Author: Mark Dowd (mark@itaudit.com.au) 1. SYNOPSIS The kdebug daemon can be exploited by remote users to open and display the contents of any file on the system. It can also be used to write to the beginning of any file on the system overwriting data which was previously there. 2. DETAILS When a connection is initiated with the kdebug daemon, an initialisation packet is sent, which consists of two strings: "kdebug" (or another permissible entry found in /etc/remote), and an optional file location for the session to be recorded into. The problem is that this file location can be any file on the system, and is modified with root privileges. An attacker can specify a file such as /etc/hosts.equiv in the initialisation packet, and then subsequent data which is written by the client will also be written to this file. As mentioned previously, data that is written to the file is written to the beginning of the file and not the end, some superfluous data is also prepended by the kdebug daemon, which means passwd file entries and some other similar types of attacks on files with strict syntax can not be performed. Furthermore, it appears that kdebugd will only write to files which already exist on the system. This bug can also be exploited for reading any file on the file system. This is achieved by sending an initialisation packet specifying the debug file as /etc/remote, a file which kdebugd interrogates when processing initialisation packets. The client can then send subsequent data that contains a valid /etc/remote entry. Each entry in /etc/remote has a file which is read from. In the case of the "kdebug" entry, it is /dev/ttys00. When a client is writing new a new entry with this vulnerability, they can specify a file such as /etc/passwd, and then initiate a new connection to kdebug, requesting their new entry instead of "kdebug". The /etc/passwd file in this case would be opened and written to the socket, allowing the client to see the full contents of the file. Once again, with root privileges. 3. SOLUTION Compaq has said that the vulnerability exists up to Tru64 5.0, and that a fix is currently being developed and is expected to be available in the initial patch kit for Tru64 UNIX V5.1. As a workaround in the meantime, it is recommended that the kdebugd service be disabled by removing it from /etc/inetd.conf.