[11937] in bugtraq
Re: Vulnerability in dtaction on Digital Unix
daemon@ATHENA.MIT.EDU (Eric Gatenby)
Fri Sep 17 05:14:46 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.GSU.4.10.9909161956590.3578-100000@unix2.netaxs.com>
Date: Thu, 16 Sep 1999 20:06:35 -0400
Reply-To: Eric Gatenby <egatenby@POBOX.COM>
From: Eric Gatenby <egatenby@POBOX.COM>
X-To: Zack Hubert <zhubert@UWPN.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <B9EC48C11241D311B3990090272894383F3F@matterhorn.uwpn.org>
I just installed this patch and noticed a major omission in the instructions
for the installation of the patch.
Here are the instructions from the README:
# cd /usr/dt/bin
# cp /patches/dtaction dtaction.new
# chown root:system dtaction.new
# chmod 6555 dtaction.new
# ln dtaction dtaction.orig
# mv dtaction.new dtaction
The major problem is that it leaves the dtaction.orig file (the one with the
overflow) setuid to root. Some admins will notice it, some won't...
Solution? chmod 0100 /usr/dt/bin/dtaction.orig
BTW, anyone know a general security address @ compaq where I can send info
like this? I cannot seem to find one...
--Eric
On Thu, 16 Sep 1999, Zack Hubert wrote:
>Hello,
>
>I have verified that the dtaction vulnerability in CDE can be exploited for
>local root compromise on Digital Unix systems.
>
>Background
>--------------
>This is a followup to the issue first introduced by Job de Haas on the
>buffer overflow present within /usr/dt/bin/dtaction. He had verified that
>the problem exists on Solaris 7, 2.6, 2.5.1. Lamont Granquist then posted a
>followup saying it was exploitable on Digital Unix's implementation of CDE.
>I have found Lamont's original assessment to be correct.
>
>Workaround
>---------------
>Use the patch (ssrt0615u_dtaction) available from Digital at
>http://ftp.service.digital.com/public/Digital_UNIX/.
>
>Code
>------
>Note: This was all written by Lamont Granquist and distributed under
>previous Digital Unix overflows. There is a slight modification however.
>Compile smashdu, change the perl script to match your location, put some
>kind of paperweight on your enter key (believe me!), and voila, root.
>
>Sincerely,
>
>Zack Hubert (zhubert@uwpn.org)
>UW Physicians Network - Unix Administrator
>
>
--
Eric Gatenby | PGP Keys: 0x0B9761F5 (1024/RSA)
egatenby@pobox.com | 0x9EA39CC7 (3072/DSS)
http://www.pobox.com/~egatenby/ | Web page or key server
*** NOTE NEW EMAIL ADDRESS ***
