Bugtraq mailing list archives
Re: another /usr/dt/bin/dtappgather feature!
From: cromar () PRINCETON EDU (Scott Cromar)
Date: Thu, 5 Nov 1998 20:32:09 -0500
I had submitted a similar exploit to Sun in about May. With each new patch that is released, I get a phone call to try the exploit again, and it still works. Of course, now it is getting harder for me to test it, since we have moved to Solaris 2.6 for all of our systems that use CDE... As was noted in the original post, the real problem is with the permissions of the directory in question. Once you realize that, an exploit becomes trivial. I'm hoping that Sun releases a functional security patch for 2.5.1 dtappgather, but for now we are recommending just removing the SUID bit. --Scott On Wed, 4 Nov 1998, Ben Collins wrote:
-----BEGIN PGP SIGNED MESSAGE----- This isn't a permissions problem on the directories, note that his output shows that the directory does have the new (ie. patched) permissions. I tested this on a completely patched system (patched it right before I tested it with the latest ones from sunsolve1). I was still able to replicate the exploit. On Wed, 4 Nov 1998, Casper Dik wrote:There's attached the message related to this new feature.. the /usr/dt/bin/dtappgather program tries to read the enviroment variable $DTUSERSESSION to get the name of the file to seek for. The file is searched in /var/dt/appconfig/appmanager. Under SunOS 5.5,5.5.1 (aka Solaris 2.5, 2.5.1) that directory is 777 or 01777 so you're able to make a simbolic link to the file you wish, but on SunOS 5.6 (Solaris 2.6) the directory is 755 to avoid this. Unfortunately the dtappgather never check the $DTUSERSESSION variable, so you can use the syntax ../../.. etc... to grab the file you wish, even if you can't write the /var/dt/appconfig/appmanager directory....Unless I'm very much mistaken, this is fixed in Solaris 7 as well as with the following Solaris 2.x patches: 104497-04: CDE 1.0.1: dtappgather patch 104498-04: CDE 1.0.2: dtappgather patch 104499-04: CDE 1.0.1_x86: dtappgather patch 104500-04: CDE 1.0.2_x86: dtappgather patch 105837-02: CDE 1.2: dtappgather Patch 105838-02: CDE 1.2_x86: dtappgather Patch (Released in March & June this year) For /var/dt permissions, you need: 103882-08: CDE 1.0.2: dtlogin patch for login authentication issues 103884-06: CDE 1.0.1: dtlogin patch 103885-06: CDE 1.0.1_x86: dtlogin patch 103886-07: CDE 1.0.2_x86: dtlogin patch for login authentication issues This was fixed in 2.6, but you still need to apply the following for other problems: 105703-07: CDE 1.2: dtlogin patch 105704-07: CDE 1.2_x86: dtlogin patch I'm not 100% sure the 2.5* patches will correct the permissions on existing directories. They will create new directories with the proper permissions. Casper- ------------------------------------------------ Ben Collins <b.m.collins () larc nasa gov> UnixGroup Admin - NASA LaRC -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQCVAwUBNkETvSo9WkFm9rsJAQEW7gP9H8tuViN6uX+XxqQtqHZ4aroBeDfkWuRf aPFqHn3QErpW2gcaZU+YUjvhw7gliYh7VQVTNbPEVtA7GqRL35ldmmrSKm5IYRjV 4sFyKtZrTmOQQfqolSabVB10ox+/zMbGxpoVf+2jwHfNe6fGRhYrta2R0AGChK/c 8CL1F3weu/U= =r60i -----END PGP SIGNATURE-----
Current thread:
- another /usr/dt/bin/dtappgather feature! Andrea Costantino (Nov 02)
- Re: another /usr/dt/bin/dtappgather feature! Casper Dik (Nov 04)
- Possible mail spool problem signal (Nov 04)
- Re: Possible mail spool problem CyberPsychotic (Nov 05)
- Re: Possible mail spool problem Conrad Juleff (Nov 05)
- various *lame* DoS attacks Conrad Juleff (Nov 05)
- Re: various *lame* DoS attacks puppet (Nov 07)
- Sendmail DoS (was: Re: various *lame* DoS attacks) net.ikon (Nov 12)
- Possible mail spool problem signal (Nov 04)
- Re: another /usr/dt/bin/dtappgather feature! Casper Dik (Nov 04)
- Re: another /usr/dt/bin/dtappgather feature! Ben Collins (Nov 04)
- Re: another /usr/dt/bin/dtappgather feature! Scott Cromar (Nov 05)
- Re: another /usr/dt/bin/dtappgather feature! J.A. Gutierrez (Nov 06)
- Re: another /usr/dt/bin/dtappgather feature! Casper Dik (Nov 09)
- Sun Security Bulletin #00178 joshua grubman (Nov 09)
- XFree86 3.3.2's setup tool /tmp race Adrian Voinea (Nov 08)
- Secure-linux patch Ernst Jan Plugge (Nov 05)
- Re: quakeworld/win32 DoS Alexander Sanda (Nov 05)
- Re: another /usr/dt/bin/dtappgather feature! Paolo Amendola (Nov 06)