CDE: dtappgather on AIX

Marcin Cieslak (saper@SGH.WAW.PL)
Sun, 25 Jan 1998 11:41:49 +0100

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: route@RESENTMENT.INFONEXUS.COM: "Announcement: Phrack 52"
Previous message: Aleph One: "Q179148: Settings May Not Be Applied with URL with Short Filename"

Yet another ssetuid bit turned on...
What about other implementations of CDE?

--
              << Marcin Cieslak // saper@sgh.waw.pl >>

---------- Forwarded message ----------
Date: Fri, 23 Jan 1998 12:49:33 -0600
From: AIX Service Mail Server <aixserv@austin.ibm.com>
Subject: Security

This file contains summary information on AIX security alerts published
by the Computer Emergency Response Team (CERT), and the IBM Emergency
Response Team (ERS).  The full text of these alerts can be obtained from
this mail server by requesting the 'CERT' and 'ERS' files.  This
information (and more) is available from CERT and ERS directly on the
world-wide web at the following URLs:

  CERT: http://www.cert.org/

   ERS: http://www.ers.ibm.com/

The fixes mentioned in this document, when available, will be available
from FixDist.  Information on obtaining and using FixDist is available
by requesting the 'FixDist' document from this mail server, or at the
following URL on the world-wide web:

  http://service.software.ibm.com/aix.us/fixes

The 'Security_APARs' document on this mail server contains a list of
security related APARs for which fixes are available as of April 1997.
===============================================================================
===============================================================================
CERT* Advisory CA-98.02
Original issue date: Jan. 21, 1998
Last revised: --

Topic: Vulnerabilities in CDE
-----------------------------------------------------------------------------

I.   Description

     There are several vulnerabilities in some implementations of the Common
     Desktop Environment (CDE). The root cause of these vulnerabilities is
     that the setuid root program "dtappgather" does not adequately check all
     information passed to it by users. By exploiting these vulnerabilities,
     an attacker can gain either unauthorized privileged access or cause a
     denial of service on the system.

II.  Impact

     Local users are able to gain write access to arbitrary files. This can be
     leveraged to gain privileged access.

     Local users may also be able to remove files from arbitrary directories,
     thus causing a denial of service.

III. Solution

     The version of dtappgather shipped with AIX is vulnerable.  The
     following fixes are in progress:

       AIX 3.2:  not vulnerable; CDE not shipped in 3.2
       AIX 4.1:  IX73436
       AIX 4.2:  IX73437
       AIX 4.3:  IX73438

     An emergency fix is available at the following URL:

       ftp://aix.software.ibm.com/aix/efixes/security/dtappgather.tar.Z

===============================================================================

[ .. older ERS announcements follow (routed etc.) ... ]

Next message: route@RESENTMENT.INFONEXUS.COM: "Announcement: Phrack 52"
Previous message: Aleph One: "Q179148: Settings May Not Be Applied with URL with Short Filename"