Bugtraq mailing list archives

Re: Vulnerability in dtaction on Digital Unix

From: egatenby () POBOX COM (Eric Gatenby)
Date: Thu, 16 Sep 1999 20:06:35 -0400


I just installed this patch and noticed a major omission in the instructions
for the installation of the patch.

Here are the instructions from the README:
# cd /usr/dt/bin
# cp /patches/dtaction dtaction.new
# chown root:system dtaction.new
# chmod 6555 dtaction.new
# ln dtaction dtaction.orig
# mv dtaction.new dtaction

The major problem is that it leaves the dtaction.orig file (the one with the
overflow) setuid to root. Some admins will notice it, some won't...

Solution? chmod 0100 /usr/dt/bin/dtaction.orig

BTW, anyone know a general security address @ compaq where I can send info
like this? I cannot seem to find one...

--Eric

On Thu, 16 Sep 1999, Zack Hubert wrote:

Hello,

I have verified that the dtaction vulnerability in CDE can be exploited for
local root compromise on Digital Unix systems.

Background
--------------
This is a followup to the issue first introduced by Job de Haas on the
buffer overflow present within /usr/dt/bin/dtaction.  He had verified that
the problem exists on Solaris 7, 2.6, 2.5.1.  Lamont Granquist then posted a
followup saying it was exploitable on Digital Unix's implementation of CDE.
I have found Lamont's original assessment to be correct.

Workaround
---------------
Use the patch (ssrt0615u_dtaction) available from Digital at
http://ftp.service.digital.com/public/Digital_UNIX/.

Code
------
Note: This was all written by Lamont Granquist and distributed under
previous Digital Unix overflows.  There is a slight modification however.
Compile smashdu, change the perl script to match your location, put some
kind of paperweight on your enter key (believe me!), and voila, root.

Sincerely,

Zack Hubert (zhubert () uwpn org)
UW Physicians Network - Unix Administrator


--
Eric Gatenby                       |  PGP Keys: 0x0B9761F5  (1024/RSA)
egatenby () pobox com                 |            0x9EA39CC7  (3072/DSS)
http://www.pobox.com/~egatenby/    |     Web page or key server

                      *** NOTE NEW EMAIL ADDRESS ***

Current thread:

BT/Cellnet Genie vulnerability James Fidell (Sep 15)
- Re: BT/Cellnet Genie vulnerability James Fidell (Sep 15)
- Vulnerability in dtaction on Digital Unix Zack Hubert (Sep 16)
  - Re: Vulnerability in dtaction on Digital Unix Eric Gatenby (Sep 16)
    - Nmap and Cisco Dos, clarification -- Lancashire, Andrew (Sep 22)
    - Re: Nmap and Cisco Dos, clarification -- Darren Reed (Sep 23)
    - LD_PROFILE local root exploit for solaris 2.6 Steve Mynott (Sep 22)
    - Re: LD_PROFILE local root exploit for solaris 2.6 Brock Sides (Sep 23)
    - Re: LD_PROFILE local root exploit for solaris 2.6 Erik Fichtner (Sep 23)
    - Announcing Second Annual TooRcon Computer Security Expo Ben (Sep 25)
    - Re: LD_PROFILE local root exploit for solaris 2.6 Casper Dik (Sep 24)
    - Re: LD_PROFILE local root exploit for solaris 2.6 Eric Daniel (Sep 28)
    - Re: LD_PROFILE local root exploit for solaris 2.6 Pavel Kankovsky (Sep 24)
    - Re: Vulnerability in dtaction on Digital Unix Dave Dittrich (Sep 22)

(Thread continues...)