Bugtraq mailing list archives
Re: Vulnerability in dtaction on Digital Unix
From: dittrich () CAC WASHINGTON EDU (Dave Dittrich)
Date: Wed, 22 Sep 1999 14:35:23 -0700
On Thu, 16 Sep 1999, Eric Gatenby wrote:
I just installed this patch and noticed a major omission in the instructions for the installation of the patch. Here are the instructions from the README: # cd /usr/dt/bin # cp /patches/dtaction dtaction.new # chown root:system dtaction.new # chmod 6555 dtaction.new # ln dtaction dtaction.orig # mv dtaction.new dtaction The major problem is that it leaves the dtaction.orig file (the one with the overflow) setuid to root. Some admins will notice it, some won't... Solution? chmod 0100 /usr/dt/bin/dtaction.orig BTW, anyone know a general security address @ compaq where I can send info like this? I cannot seem to find one...
I'm not sure if that will help, as I was in the same position, finding the same problem, earlier this year, and here it is happening again. I asked the security team to change their boilerplate instructions (which they claimed were the source of the problem - find security bug, patch programs, grab boilerplate instructions, change program names, send to customer). Seems they only fix the message *after* you point it out to them, on a patch-by-patch basis, leaving the boilerplate the same to repeat the problem over and over again. Here is the (elided) message I got after pointing this out to them in February and specifically asking that they change the BOILERPLATE as well: ---------------------------------------------------------------------------------- ---------- Forwarded message ---------- Date: Thu, 4 Feb 1999 16:08:52 -0500 Subject: RE: Problem with SSRT0583U patch instructions From: XXXXXXXXXX <XXXXXXXXXX () digital com> To: 'Dave Dittrich' <dittrich () cac washington edu>, Lamont Granquist <lamontg () raven genome washington edu> Cc: XXXXXXXXXXXX <XXXXXXXXXXXX () digital com> The engineer has corrected this in the patch - thanks for the information Here are the updated installation instructions. They are the same for all versions of the operating system. The only changes are the addition of the "chmod 400" commands. Installation Instructions: The following instructions assume the patched files are in directory /patches. Become superuser and enter the following commands: # cd /usr/bin # cp /patches/at at.new # chown root:bin at.new # chmod 4755 at.new # ln at at.orig # mv at.new at # chmod 400 at.orig # cd /usr/bin/mh # cp /patches/inc inc.new # chown root:bin inc.new # chmod 4755 inc.new # ln inc inc.orig # mv inc.new inc # chmod 400 inc.orig # cd /usr/shlib # cp /patches/libmh.so libmh.so.new # chown bin:bin libmh.so.new # chmod 444 libmh.so.new # ln libmh.so libmh.so.orig # mv libmh.so.new libmh.so # chmod 400 libmh.so.orig ---------------------------------------------------------------------------------- Perhaps a little "light of day" will prompt the owner of the boilerplate (or the person who writes general procedures for producing patches) to finally learn this lesson. ;) -- Dave Dittrich Client Services dittrich () cac washington edu Computing & Communications University of Washington <a href="http://www.washington.edu/People/dad/"> Dave Dittrich / dittrich () cac washington edu [PGP Key]</a>
Current thread:
- Re: Vulnerability in dtaction on Digital Unix, (continued)
- Re: Vulnerability in dtaction on Digital Unix Eric Gatenby (Sep 16)
- Nmap and Cisco Dos, clarification -- Lancashire, Andrew (Sep 22)
- Re: Nmap and Cisco Dos, clarification -- Darren Reed (Sep 23)
- LD_PROFILE local root exploit for solaris 2.6 Steve Mynott (Sep 22)
- Re: LD_PROFILE local root exploit for solaris 2.6 Brock Sides (Sep 23)
- Re: LD_PROFILE local root exploit for solaris 2.6 Erik Fichtner (Sep 23)
- Announcing Second Annual TooRcon Computer Security Expo Ben (Sep 25)
- Re: Vulnerability in dtaction on Digital Unix Eric Gatenby (Sep 16)
- Re: LD_PROFILE local root exploit for solaris 2.6 Casper Dik (Sep 24)
- Re: LD_PROFILE local root exploit for solaris 2.6 Eric Daniel (Sep 28)
- Re: LD_PROFILE local root exploit for solaris 2.6 Pavel Kankovsky (Sep 24)
- Re: Vulnerability in dtaction on Digital Unix Dave Dittrich (Sep 22)
- Re: ASUS mother board security question... Alan Cox (Sep 16)
- Re: ASUS mother board security question... Nick FitzGerald (Sep 25)