Re: /usr/dt/bin/dtappgather exploit

Steven Goldberg - SE - Seattle WA (steven.goldberg@West.Sun.COM)
Thu, 19 Mar 1998 11:51:54 -0800

A patch is in the works and should be available soon.

thanks for the heads up.

Steve

> To: steven.goldberg@West
> CC: bugtraq@NETSPACE.ORG
> Subject: Re: /usr/dt/bin/dtappgather exploit
> Mime-Version: 1.0
> Date: Wed, 18 Mar 1998 18:54:38 -0800
> From: Robert Lau <rslau@skat.usc.edu>
>
> This happened on a Solaris 2.5.1 box with the latest Sun CDE patches,
> including 104498-02. We don't see any more recent patches at sunsolve.
>
> -r-x--x--x 1 root bin 115708 Jan 7 14:55 bin/dtappgather*
>
> Yet, they still managed to get the link:
>
> /var/dt/appconfig/appmanager/generic-display-0 -> /etc/shadow
>
> The link was owned by the user whose account was compromised.
> They got root, replaced ssh and telnet binaries with ones that
> logged username/passwords to /usr/include/v9/sys/stdio.h
>
> We've contacted Sun but this it hasn't made it past first level tech
> support... In the meantime, we've removed SUID root on dtappgather.
>
> Robert Lau
> Information Services Division - Core Services
> University of Southern California
>
>