Huge security hole in SDRC IDEAS MS6 cad system.

From: Sven-Ove Westberg (sowat_private)
Date: Fri Jun 05 1998 - 05:27:44 PDT

Next message: Stefan Laudat: "Security flaw in Accelerated-X 4.1"

Previous message: Aleph One: "FreeBSD Security Advisory: FreeBSD-SA-98:05.nfs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi.

I have found a huge security hole with the SDRC's new CAD system IDEAS
Master Series 6. The now use the orbixd as an interface daemon and they
run it as root!! I looked at Internet and found that s they run the daemon
anyone can get root access or access as any user, from anyhost that can
acces the TCP/IP port on the machine.

Here is some references on security ond orbixd.
http://list-archive.qds.com/corba-dev-html.1997/1663.htmsl
http://www.iona.com/support/whitepapers/orbixsecurity/
http://tappi.me.tut.fi/~paavo/corba_docs/prguide/part2/chapter6/imprep10.html


The CAD system is the main CAD system at many big companies for example
Ford. I have sent out a waring to the mailing list for IDEAS users,  we have
also filed a bug report but SDRC seems to ignore the security of their
customers computers since we have not heard any thing from them.
SDRC did not supply you with any documentation on the orbixd just a script
that you should run as ROOT!!! I think that talks for it self.

Other systems may also use the orbixd look out for them.

This is the Orbix.cfg file.

 # Below are listed the main orbix environment configuration variables
 # and associated default values. An Orbix client, server or daemon will
 # use these values if, and only if, the relevant unix environment
 # variable is not defined.

 # the port number for the Orbix daemon:
 IT_DAEMON_PORT          1570

 # the starting port number for daemon-run servers:
 IT_DAEMON_SERVER_BASE   1590

 # the full path name of the error messages _file_:
 IT_ERRORS               $(SDRC_ORBIX_ROOT)/lib/ErrorMsgs

 # the full path name of the Implmentation Repository _directory_
 IT_IMP_REP_PATH         $(SDRC_ORBIX_SPOOL)/Repository

 # the full path name of the Interface Repository _directory_:
 IT_INT_REP_PATH         $(SDRC_ORBIX_SPOOL)/Interfaces

 # the full path name of the _directory_ holding the locator files:
 IT_LOCATOR_PATH         $(SDRC_ORBIX_SPOOL)/Locator

Did anyone know if I can run the orbixd under tcpwrapper?
What is the two ports for? Did it listen on two ports?

Regards,

--
Sven-Ove Westberg, CAD, University of Lulea, S-971 87 Lulea, Sweden.

Next message: Stefan Laudat: "Security flaw in Accelerated-X 4.1"
Previous message: Aleph One: "FreeBSD Security Advisory: FreeBSD-SA-98:05.nfs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:56:47 PDT