Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Vulnerability in dtaction on Digital Unix

From: dittrich () CAC WASHINGTON EDU (Dave Dittrich)
Date: Wed, 22 Sep 1999 14:35:23 -0700

On Thu, 16 Sep 1999, Eric Gatenby wrote:


I just installed this patch and noticed a major omission in the instructions
for the installation of the patch.

Here are the instructions from the README:
# cd /usr/dt/bin
# cp /patches/dtaction dtaction.new
# chown root:system dtaction.new
# chmod 6555 dtaction.new
# ln dtaction dtaction.orig
# mv dtaction.new dtaction

The major problem is that it leaves the dtaction.orig file (the one with the
overflow) setuid to root. Some admins will notice it, some won't...

Solution? chmod 0100 /usr/dt/bin/dtaction.orig

BTW, anyone know a general security address @ compaq where I can send info
like this? I cannot seem to find one...


I'm not sure if that will help, as I was in the same position, finding
the same problem, earlier this year, and here it is happening again.

I asked the security team to change their boilerplate instructions
(which they claimed were the source of the problem - find security bug,
patch programs, grab boilerplate instructions, change program names,
send to customer).   Seems they only fix the message *after* you point
it out to them, on a patch-by-patch basis, leaving the boilerplate the
same to repeat the problem over and over again.

Here is the (elided) message I got after pointing this out to them in
February and specifically asking that they change the BOILERPLATE
as well:

----------------------------------------------------------------------------------
---------- Forwarded message ----------
Date: Thu, 4 Feb 1999 16:08:52 -0500
Subject: RE: Problem with SSRT0583U patch instructions
From: XXXXXXXXXX <XXXXXXXXXX () digital com>
To: 'Dave Dittrich' <dittrich () cac washington edu>,
     Lamont Granquist <lamontg () raven genome washington edu>
Cc: XXXXXXXXXXXX <XXXXXXXXXXXX () digital com>

The engineer has corrected this in the patch - thanks for the information
Here are the updated installation instructions.  They are the same for
all versions of the operating system.  The only changes are the addition
of the "chmod 400" commands.

Installation Instructions:

The following instructions assume the patched files are in directory
/patches.

Become superuser and enter the following commands:

# cd /usr/bin

# cp /patches/at at.new
# chown root:bin at.new
# chmod 4755 at.new
# ln at at.orig
# mv at.new at
# chmod 400 at.orig

# cd /usr/bin/mh

# cp /patches/inc inc.new
# chown root:bin inc.new
# chmod 4755 inc.new
# ln inc inc.orig
# mv inc.new inc
# chmod 400 inc.orig

# cd /usr/shlib

# cp /patches/libmh.so libmh.so.new
# chown bin:bin libmh.so.new
# chmod 444 libmh.so.new
# ln libmh.so libmh.so.orig
# mv libmh.so.new libmh.so
# chmod 400 libmh.so.orig
----------------------------------------------------------------------------------

Perhaps a little "light of day" will prompt the owner of the boilerplate
(or the person who writes general procedures for producing patches) to
finally learn this lesson. ;)

--
Dave Dittrich                 Client Services
dittrich () cac washington edu   Computing & Communications
                              University of Washington

<a href="http://www.washington.edu/People/dad/";>
Dave Dittrich / dittrich () cac washington edu [PGP Key]</a>
Previous By Date Next
Previous By Thread Next

Current thread: