Bugtraq mailing list archives
CDE: dtappgather on AIX
From: saper () SGH WAW PL (Marcin Cieslak)
Date: Sun, 25 Jan 1998 11:41:49 +0100
Yet another ssetuid bit turned on...
What about other implementations of CDE?
--
<< Marcin Cieslak // saper () sgh waw pl >>
---------- Forwarded message ----------
Date: Fri, 23 Jan 1998 12:49:33 -0600
From: AIX Service Mail Server <aixserv () austin ibm com>
Subject: Security
This file contains summary information on AIX security alerts published
by the Computer Emergency Response Team (CERT), and the IBM Emergency
Response Team (ERS). The full text of these alerts can be obtained from
this mail server by requesting the 'CERT' and 'ERS' files. This
information (and more) is available from CERT and ERS directly on the
world-wide web at the following URLs:
CERT: http://www.cert.org/
ERS: http://www.ers.ibm.com/
The fixes mentioned in this document, when available, will be available
from FixDist. Information on obtaining and using FixDist is available
by requesting the 'FixDist' document from this mail server, or at the
following URL on the world-wide web:
http://service.software.ibm.com/aix.us/fixes
The 'Security_APARs' document on this mail server contains a list of
security related APARs for which fixes are available as of April 1997.
===============================================================================
===============================================================================
CERT* Advisory CA-98.02
Original issue date: Jan. 21, 1998
Last revised: --
Topic: Vulnerabilities in CDE
-----------------------------------------------------------------------------
I. Description
There are several vulnerabilities in some implementations of the Common
Desktop Environment (CDE). The root cause of these vulnerabilities is
that the setuid root program "dtappgather" does not adequately check all
information passed to it by users. By exploiting these vulnerabilities,
an attacker can gain either unauthorized privileged access or cause a
denial of service on the system.
II. Impact
Local users are able to gain write access to arbitrary files. This can be
leveraged to gain privileged access.
Local users may also be able to remove files from arbitrary directories,
thus causing a denial of service.
III. Solution
The version of dtappgather shipped with AIX is vulnerable. The
following fixes are in progress:
AIX 3.2: not vulnerable; CDE not shipped in 3.2
AIX 4.1: IX73436
AIX 4.2: IX73437
AIX 4.3: IX73438
An emergency fix is available at the following URL:
ftp://aix.software.ibm.com/aix/efixes/security/dtappgather.tar.Z
===============================================================================
[ .. older ERS announcements follow (routed etc.) ... ]
Current thread:
- Re: GCC 2.7.? /tmp files, (continued)
- Re: GCC 2.7.? /tmp files Zack Weinberg (Jan 18)
- Re: GCC 2.7.? /tmp files John Gotts (Jan 19)
- CERT Vendor-Initiated Bulletin VB-98.01 - excite Aleph One (Jan 19)
- GCC 2.7.? /tmp files Micha? Zalewski (Jan 15)
- Re: GCC 2.7.? /tmp files Niels Bakker (Jan 16)
- pnserver exploit.. Aleph One (Jan 15)
- Re: pnserver exploit.. Angelos Karageorgiou (Jan 16)
- Re: pnserver exploit.. Donald van de Weyer (Jan 21)
- (AUSCERT ESB-98.009) CERT Advisory CA-98.02 - Vulnerabilities in Grant Beattie (Jan 21)
- Q179148: Settings May Not Be Applied with URL with Short Filename Aleph One (Jan 23)
- CDE: dtappgather on AIX Marcin Cieslak (Jan 25)
- Simple OpenBSD crash script Jason Downs (Jan 25)
- Re: Simple OpenBSD crash script GvS One (Jan 28)
- Quake 2 Linux kevingeo () CRUZIO COM (Jan 25)
- Re: Quake 2 Linux Greg Alexander (Jan 27)
- Announcement: Phrack 52 route () RESENTMENT INFONEXUS COM (Jan 26)
- Microsoft responds to bug in Exchange Server Tony Hagale (Jan 27)
- Re: Announcement: Phrack 52 Olaf Kirch (Jan 28)
- KSR[T] Advisory #7: filter KSR[T] (Jan 29)
- Bug in IMail's pop3d32.exe RHS Linux User (Jan 29)
- Secure Linux patch Solar Designer (Jan 29)