Bugtraq mailing list archives
Re: /usr/dt/bin/dtappgather exploit
From: steven.goldberg () West Sun COM (Steven Goldberg - SE - Seattle WA)
Date: Thu, 19 Mar 1998 11:51:54 -0800
A patch is in the works and should be available soon. thanks for the heads up. Steve
To: steven.goldberg@West CC: bugtraq () NETSPACE ORG Subject: Re: /usr/dt/bin/dtappgather exploit Mime-Version: 1.0 Date: Wed, 18 Mar 1998 18:54:38 -0800 From: Robert Lau <rslau () skat usc edu> This happened on a Solaris 2.5.1 box with the latest Sun CDE patches, including 104498-02. We don't see any more recent patches at sunsolve. -r-x--x--x 1 root bin 115708 Jan 7 14:55 bin/dtappgather* Yet, they still managed to get the link: /var/dt/appconfig/appmanager/generic-display-0 -> /etc/shadow The link was owned by the user whose account was compromised. They got root, replaced ssh and telnet binaries with ones that logged username/passwords to /usr/include/v9/sys/stdio.h We've contacted Sun but this it hasn't made it past first level tech support... In the meantime, we've removed SUID root on dtappgather. Robert Lau Information Services Division - Core Services University of Southern California
Current thread:
- Re: /usr/dt/bin/dtappgather exploit Steven Goldberg - SE - Seattle WA (Mar 19)