[8426] in bugtraq
Re: another /usr/dt/bin/dtappgather feature!
daemon@ATHENA.MIT.EDU (Ben Collins)
Thu Nov 5 15:05:54 1998
Date: Wed, 4 Nov 1998 21:55:50 -0500
Reply-To: Ben Collins <bmc@VISI.NET>
From: Ben Collins <bmc@VISI.NET>
X-To: Casper Dik <casper@HOLLAND.SUN.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199811041143.MAA23357@romulus>
-----BEGIN PGP SIGNED MESSAGE-----
This isn't a permissions problem on the directories, note that his output
shows that the directory does have the new (ie. patched) permissions. I
tested this on a completely patched system (patched it right before I
tested it with the latest ones from sunsolve1). I was still able to
replicate the exploit.
On Wed, 4 Nov 1998, Casper Dik wrote:
> >There's attached the message related to this new feature..
> >the /usr/dt/bin/dtappgather program tries to read the enviroment variable
> >$DTUSERSESSION to get the name of the file to seek for.
> >The file is searched in /var/dt/appconfig/appmanager.
> >Under SunOS 5.5,5.5.1 (aka Solaris 2.5, 2.5.1) that directory is 777 or
> >01777 so you're able to make a simbolic link to the file you wish, but on
> >SunOS 5.6 (Solaris 2.6) the directory is 755 to avoid this.
> >Unfortunately the dtappgather never check the $DTUSERSESSION variable, so
> >you can use the syntax ../../.. etc... to grab the file you wish, even if
> >you can't write the /var/dt/appconfig/appmanager directory....
>
>
> Unless I'm very much mistaken, this is fixed in Solaris 7 as well as
> with the following Solaris 2.x patches:
>
> 104497-04: CDE 1.0.1: dtappgather patch
> 104498-04: CDE 1.0.2: dtappgather patch
> 104499-04: CDE 1.0.1_x86: dtappgather patch
> 104500-04: CDE 1.0.2_x86: dtappgather patch
> 105837-02: CDE 1.2: dtappgather Patch
> 105838-02: CDE 1.2_x86: dtappgather Patch
>
> (Released in March & June this year)
>
> For /var/dt permissions, you need:
>
> 103882-08: CDE 1.0.2: dtlogin patch for login authentication issues
> 103884-06: CDE 1.0.1: dtlogin patch
> 103885-06: CDE 1.0.1_x86: dtlogin patch
> 103886-07: CDE 1.0.2_x86: dtlogin patch for login authentication issues
>
> This was fixed in 2.6, but you still need to apply the following for other
> problems:
> 105703-07: CDE 1.2: dtlogin patch
> 105704-07: CDE 1.2_x86: dtlogin patch
>
>
> I'm not 100% sure the 2.5* patches will correct the permissions on
> existing directories. They will create new directories with the proper
> permissions.
>
>
>
> Casper
>
- ------------------------------------------------
Ben Collins <b.m.collins@larc.nasa.gov>
UnixGroup Admin - NASA LaRC
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
iQCVAwUBNkETvSo9WkFm9rsJAQEW7gP9H8tuViN6uX+XxqQtqHZ4aroBeDfkWuRf
aPFqHn3QErpW2gcaZU+YUjvhw7gliYh7VQVTNbPEVtA7GqRL35ldmmrSKm5IYRjV
4sFyKtZrTmOQQfqolSabVB10ox+/zMbGxpoVf+2jwHfNe6fGRhYrta2R0AGChK/c
8CL1F3weu/U=
=r60i
-----END PGP SIGNATURE-----
