Bugtraq mailing list archives
Re: Vulnerability in dtaction on Digital Unix
From: egatenby () POBOX COM (Eric Gatenby)
Date: Thu, 16 Sep 1999 20:06:35 -0400
I just installed this patch and noticed a major omission in the instructions for the installation of the patch. Here are the instructions from the README: # cd /usr/dt/bin # cp /patches/dtaction dtaction.new # chown root:system dtaction.new # chmod 6555 dtaction.new # ln dtaction dtaction.orig # mv dtaction.new dtaction The major problem is that it leaves the dtaction.orig file (the one with the overflow) setuid to root. Some admins will notice it, some won't... Solution? chmod 0100 /usr/dt/bin/dtaction.orig BTW, anyone know a general security address @ compaq where I can send info like this? I cannot seem to find one... --Eric On Thu, 16 Sep 1999, Zack Hubert wrote:
Hello, I have verified that the dtaction vulnerability in CDE can be exploited for local root compromise on Digital Unix systems. Background -------------- This is a followup to the issue first introduced by Job de Haas on the buffer overflow present within /usr/dt/bin/dtaction. He had verified that the problem exists on Solaris 7, 2.6, 2.5.1. Lamont Granquist then posted a followup saying it was exploitable on Digital Unix's implementation of CDE. I have found Lamont's original assessment to be correct. Workaround --------------- Use the patch (ssrt0615u_dtaction) available from Digital at http://ftp.service.digital.com/public/Digital_UNIX/. Code ------ Note: This was all written by Lamont Granquist and distributed under previous Digital Unix overflows. There is a slight modification however. Compile smashdu, change the perl script to match your location, put some kind of paperweight on your enter key (believe me!), and voila, root. Sincerely, Zack Hubert (zhubert () uwpn org) UW Physicians Network - Unix Administrator
-- Eric Gatenby | PGP Keys: 0x0B9761F5 (1024/RSA) egatenby () pobox com | 0x9EA39CC7 (3072/DSS) http://www.pobox.com/~egatenby/ | Web page or key server *** NOTE NEW EMAIL ADDRESS ***
Current thread:
- BT/Cellnet Genie vulnerability James Fidell (Sep 15)
- Re: BT/Cellnet Genie vulnerability James Fidell (Sep 15)
- Vulnerability in dtaction on Digital Unix Zack Hubert (Sep 16)
- Re: Vulnerability in dtaction on Digital Unix Eric Gatenby (Sep 16)
- Nmap and Cisco Dos, clarification -- Lancashire, Andrew (Sep 22)
- Re: Nmap and Cisco Dos, clarification -- Darren Reed (Sep 23)
- LD_PROFILE local root exploit for solaris 2.6 Steve Mynott (Sep 22)
- Re: LD_PROFILE local root exploit for solaris 2.6 Brock Sides (Sep 23)
- Re: LD_PROFILE local root exploit for solaris 2.6 Erik Fichtner (Sep 23)
- Announcing Second Annual TooRcon Computer Security Expo Ben (Sep 25)
- Re: Vulnerability in dtaction on Digital Unix Eric Gatenby (Sep 16)
- Re: LD_PROFILE local root exploit for solaris 2.6 Casper Dik (Sep 24)
- Re: LD_PROFILE local root exploit for solaris 2.6 Eric Daniel (Sep 28)
- Re: LD_PROFILE local root exploit for solaris 2.6 Pavel Kankovsky (Sep 24)
- Re: Vulnerability in dtaction on Digital Unix Dave Dittrich (Sep 22)