CDE: dtappgather on AIX

Marcin Cieslak (saper@SGH.WAW.PL)
Sun, 25 Jan 1998 11:41:49 +0100

Yet another ssetuid bit turned on...
What about other implementations of CDE?

--
              << Marcin Cieslak // saper@sgh.waw.pl >>

---------- Forwarded message ---------- Date: Fri, 23 Jan 1998 12:49:33 -0600 From: AIX Service Mail Server <aixserv@austin.ibm.com> Subject: Security

This file contains summary information on AIX security alerts published by the Computer Emergency Response Team (CERT), and the IBM Emergency Response Team (ERS). The full text of these alerts can be obtained from this mail server by requesting the 'CERT' and 'ERS' files. This information (and more) is available from CERT and ERS directly on the world-wide web at the following URLs:

CERT: http://www.cert.org/

ERS: http://www.ers.ibm.com/

The fixes mentioned in this document, when available, will be available from FixDist. Information on obtaining and using FixDist is available by requesting the 'FixDist' document from this mail server, or at the following URL on the world-wide web:

http://service.software.ibm.com/aix.us/fixes

The 'Security_APARs' document on this mail server contains a list of security related APARs for which fixes are available as of April 1997. =============================================================================== =============================================================================== CERT* Advisory CA-98.02 Original issue date: Jan. 21, 1998 Last revised: --

Topic: Vulnerabilities in CDE -----------------------------------------------------------------------------

I. Description

There are several vulnerabilities in some implementations of the Common Desktop Environment (CDE). The root cause of these vulnerabilities is that the setuid root program "dtappgather" does not adequately check all information passed to it by users. By exploiting these vulnerabilities, an attacker can gain either unauthorized privileged access or cause a denial of service on the system.

II. Impact

Local users are able to gain write access to arbitrary files. This can be leveraged to gain privileged access.

Local users may also be able to remove files from arbitrary directories, thus causing a denial of service.

III. Solution

The version of dtappgather shipped with AIX is vulnerable. The following fixes are in progress:

AIX 3.2: not vulnerable; CDE not shipped in 3.2 AIX 4.1: IX73436 AIX 4.2: IX73437 AIX 4.3: IX73438

An emergency fix is available at the following URL:

ftp://aix.software.ibm.com/aix/efixes/security/dtappgather.tar.Z

===============================================================================

[ .. older ERS announcements follow (routed etc.) ... ]