[11977] in bugtraq
Re: Vulnerability in dtaction on Digital Unix
daemon@ATHENA.MIT.EDU (Dave Dittrich)
Thu Sep 23 18:25:25 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.GUL.4.20.9909221424260.9086-100000@red6.cac.washington.edu>
Date: Wed, 22 Sep 1999 14:35:23 -0700
Reply-To: Dave Dittrich <dittrich@CAC.WASHINGTON.EDU>
From: Dave Dittrich <dittrich@CAC.WASHINGTON.EDU>
X-To: Eric Gatenby <egatenby@POBOX.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.GSU.4.10.9909161956590.3578-100000@unix2.netaxs.com>
On Thu, 16 Sep 1999, Eric Gatenby wrote:
> I just installed this patch and noticed a major omission in the instructions
> for the installation of the patch.
>
> Here are the instructions from the README:
> # cd /usr/dt/bin
> # cp /patches/dtaction dtaction.new
> # chown root:system dtaction.new
> # chmod 6555 dtaction.new
> # ln dtaction dtaction.orig
> # mv dtaction.new dtaction
>
> The major problem is that it leaves the dtaction.orig file (the one with the
> overflow) setuid to root. Some admins will notice it, some won't...
>
> Solution? chmod 0100 /usr/dt/bin/dtaction.orig
>
> BTW, anyone know a general security address @ compaq where I can send info
> like this? I cannot seem to find one...
I'm not sure if that will help, as I was in the same position, finding
the same problem, earlier this year, and here it is happening again.
I asked the security team to change their boilerplate instructions
(which they claimed were the source of the problem - find security bug,
patch programs, grab boilerplate instructions, change program names,
send to customer). Seems they only fix the message *after* you point
it out to them, on a patch-by-patch basis, leaving the boilerplate the
same to repeat the problem over and over again.
Here is the (elided) message I got after pointing this out to them in
February and specifically asking that they change the BOILERPLATE
as well:
----------------------------------------------------------------------------------
---------- Forwarded message ----------
Date: Thu, 4 Feb 1999 16:08:52 -0500
Subject: RE: Problem with SSRT0583U patch instructions
From: XXXXXXXXXX <XXXXXXXXXX@digital.com>
To: 'Dave Dittrich' <dittrich@cac.washington.edu>,
Lamont Granquist <lamontg@raven.genome.washington.edu>
Cc: XXXXXXXXXXXX <XXXXXXXXXXXX@digital.com>
The engineer has corrected this in the patch - thanks for the information
Here are the updated installation instructions. They are the same for
all versions of the operating system. The only changes are the addition
of the "chmod 400" commands.
Installation Instructions:
The following instructions assume the patched files are in directory
/patches.
Become superuser and enter the following commands:
# cd /usr/bin
# cp /patches/at at.new
# chown root:bin at.new
# chmod 4755 at.new
# ln at at.orig
# mv at.new at
# chmod 400 at.orig
# cd /usr/bin/mh
# cp /patches/inc inc.new
# chown root:bin inc.new
# chmod 4755 inc.new
# ln inc inc.orig
# mv inc.new inc
# chmod 400 inc.orig
# cd /usr/shlib
# cp /patches/libmh.so libmh.so.new
# chown bin:bin libmh.so.new
# chmod 444 libmh.so.new
# ln libmh.so libmh.so.orig
# mv libmh.so.new libmh.so
# chmod 400 libmh.so.orig
----------------------------------------------------------------------------------
Perhaps a little "light of day" will prompt the owner of the boilerplate
(or the person who writes general procedures for producing patches) to
finally learn this lesson. ;)
--
Dave Dittrich Client Services
dittrich@cac.washington.edu Computing & Communications
University of Washington
<a href="http://www.washington.edu/People/dad/">
Dave Dittrich / dittrich@cac.washington.edu [PGP Key]</a>
