Re: /usr/dt/bin/dtappgather exploit

[steven.goldberg () West Sun COM (Steven Goldberg - SE - Seattle WA)]

A patch is in the works and should be available soon.

thanks for the heads up.

Steve


> To: steven.goldberg@West
> CC: bugtraq () NETSPACE ORG
> Subject: Re: /usr/dt/bin/dtappgather exploit
> Mime-Version: 1.0
> Date: Wed, 18 Mar 1998 18:54:38 -0800
> From: Robert Lau <rslau () skat usc edu>
>
> This happened on a Solaris 2.5.1 box with the latest Sun CDE patches,
> including 104498-02.  We don't see any more recent patches at sunsolve.
>
>   -r-x--x--x   1 root     bin       115708 Jan  7 14:55 bin/dtappgather*
>
> Yet, they still managed to get the link:
>
>   /var/dt/appconfig/appmanager/generic-display-0 -> /etc/shadow
>
> The link was owned by the user whose account was compromised.
> They got root, replaced ssh and telnet binaries with ones that
> logged username/passwords to /usr/include/v9/sys/stdio.h
>
> We've contacted Sun but this it hasn't made it past first level tech
> support...  In the meantime, we've removed SUID root on dtappgather.
>
> Robert Lau
> Information Services Division - Core Services
> University of Southern California