SUMMARY: SunPC security hole

From: Ray Brownrigg (ray@isor.vuw.ac.nz)
Date: Mon Oct 20 1997 - 22:53:45 CDT


Thanks to:
Kevin.Sheehan@uniq.com.au (Kevin Sheehan {Consulting Poster Child})
Glenn Satchell - Uniq Professional Services <Glenn.Satchell@uniq.com.au>

for picking up on this one. Unfortunately, the only suggestion was to
make sure the latest SunPC patch (102924-25) had been installed. I have
now installed this patch (and from within the README also obtained a
supplement to the SunPC User's Guide - which incidentally has lots of
Win 95 relevant stuff), but the problem remains.

The official word from Sun Support is that SunPC "does not support
remote display". I now have to determine how to approach publicising
the enormous security hole that this opens up.

---- Original question ----
> We have an interesting security problem here, notably because one of the
> prerequisites is the use of a more secure environment (ssh).
>
> If a user logs on remotely using ssh the DISPLAY environment variable
> is set automatically to e.g. remote:1.0. [This assumes X forwarding is
> set for sshd.]
>
> Now in this situation, SunPC does not work, typing at the local keyboard
> does not show up in the sunpc window. (The solution is to:
> setenv DISPLAY local:0.0
> before running sunpc).
>
> However what does happen is that when the sunpc window has focus from
> the local mouse, anything typed at the remote keyboard (i.e. the
> keyboard attached to the CPU on which the sunpc executable is running)
> appears in the sunpc window. In particular, if the remote system is
> awaiting an xdm login, then the username and password show up in the
> local user's sunpc window.
>
> Further, if sunpc is instructed to attach the mouse 'internally', it
> takes control of the remote mouse!
>
> Now the sunpc executable is not suid, and the appropriate remote devices
> (/devices/pseudo/cons*) are always mode 600. It appears that the sunpc
> executable is somehow using the DISPLAY environment variable to
> determine which keyboard and mouse to use. Also though there must be
> some flawed mechanism by which authority to read the keyboard and mouse
> are obtained.
>
> Our short-term solution is to use the xdm login mechanism to change the
> permissions on /dev/sdos* so that only the local user may run sunpc. We
> didn't want to turn off X forwarding, as that reduces the value of ssh.
>
> Has anybody seen this before. More importantly, is there any useful
> workaround?
>
---- part 2 of original question ----

> I post my first request to Sun-Managers since several years and of
> course I forget the basics - I forgot to specify versions etc. Not only
> that, I initially posted this update with a Subject: beginning with Re:
> This appears to have been silently discarded by the list mechanism.
>
> We are running SunPC 4.1 under Solaris 2.5, with at least all
> recommended patches, on SPARC 4, 5, and 10.
>
> ssh is 1.2.21
>
> In case you missed the original, if you ssh to a remote system with X
> forwarding set, then run sunpc, the DOS window captures keystrokes from
> the remote machine instead of from the local keyboard.
>
> Of course I will summarise responses.



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:12:06 CDT