[8442] in bugtraq

home help back first fref pref prev next nref lref last post

Re: another /usr/dt/bin/dtappgather feature!

daemon@ATHENA.MIT.EDU (Scott Cromar)
Fri Nov 6 14:47:24 1998

Date: 	Thu, 5 Nov 1998 20:32:09 -0500
Reply-To: Scott Cromar <cromar@PRINCETON.EDU>
From: Scott Cromar <cromar@PRINCETON.EDU>
X-To:         Ben Collins <bmc@VISI.NET>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To:  <Pine.LNX.4.02.9811042153180.17259-100000@goodguy.dyn.ml.org>

I had submitted a similar exploit to Sun in about May.  With each new
patch that is released, I get a phone call to try the exploit again, and
it still works.  Of course, now it is getting harder for me to test it,
since we have moved to Solaris 2.6 for all of our systems that use CDE...

As was noted in the original post, the real problem is with the
permissions of the directory in question.  Once you realize that, an
exploit becomes trivial.  I'm hoping that Sun releases a functional
security patch for 2.5.1 dtappgather, but for now we are recommending just
removing the SUID bit.

--Scott

On Wed, 4 Nov 1998, Ben Collins wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
>
> This isn't a permissions problem on the directories, note that his output
> shows that the directory does have the new (ie. patched) permissions. I
> tested this on a completely patched system (patched it right before I
> tested it with the latest ones from sunsolve1). I was still able to
> replicate the exploit.
>
> On Wed, 4 Nov 1998, Casper Dik wrote:
>
> > >There's attached the message related to this new feature..
> > >the /usr/dt/bin/dtappgather program tries to read the enviroment variable
> > >$DTUSERSESSION to get the name of the file to seek for.
> > >The file is searched in /var/dt/appconfig/appmanager.
> > >Under SunOS 5.5,5.5.1 (aka Solaris 2.5, 2.5.1) that directory is 777 or
> > >01777 so you're able to make a simbolic link to the file you wish, but on
> > >SunOS 5.6 (Solaris 2.6) the directory is 755 to avoid this.
> > >Unfortunately the dtappgather never check the $DTUSERSESSION variable, so
> > >you can use the syntax ../../.. etc... to grab the file you wish, even if
> > >you can't write the /var/dt/appconfig/appmanager directory....
> >
> >
> > Unless I'm very much mistaken, this is fixed in Solaris 7 as well as
> > with the following Solaris 2.x patches:
> >
> > 104497-04: CDE 1.0.1: dtappgather patch
> > 104498-04: CDE 1.0.2: dtappgather patch
> > 104499-04: CDE 1.0.1_x86: dtappgather patch
> > 104500-04: CDE 1.0.2_x86: dtappgather patch
> > 105837-02: CDE 1.2: dtappgather Patch
> > 105838-02: CDE 1.2_x86: dtappgather Patch
> >
> > (Released in March & June this year)
> >
> > For /var/dt permissions, you need:
> >
> > 103882-08: CDE 1.0.2: dtlogin patch for login authentication issues
> > 103884-06: CDE 1.0.1: dtlogin patch
> > 103885-06: CDE 1.0.1_x86: dtlogin patch
> > 103886-07: CDE 1.0.2_x86: dtlogin patch for login authentication issues
> >
> > This was fixed in 2.6, but you still need to apply the following for other
> > problems:
> > 105703-07: CDE 1.2: dtlogin patch
> > 105704-07: CDE 1.2_x86: dtlogin patch
> >
> >
> > I'm not 100% sure the 2.5* patches will correct the permissions on
> > existing directories.  They will create new directories with the proper
> > permissions.
> >
> >
> >
> > Casper
> >
>
> - ------------------------------------------------
> Ben Collins <b.m.collins@larc.nasa.gov>
> UnixGroup Admin - NASA LaRC
>
> -----BEGIN PGP SIGNATURE-----
> Version: 2.6.3ia
> Charset: noconv
>
> iQCVAwUBNkETvSo9WkFm9rsJAQEW7gP9H8tuViN6uX+XxqQtqHZ4aroBeDfkWuRf
> aPFqHn3QErpW2gcaZU+YUjvhw7gliYh7VQVTNbPEVtA7GqRL35ldmmrSKm5IYRjV
> 4sFyKtZrTmOQQfqolSabVB10ox+/zMbGxpoVf+2jwHfNe6fGRhYrta2R0AGChK/c
> 8CL1F3weu/U=
> =r60i
> -----END PGP SIGNATURE-----
>

home help back first fref pref prev next nref lref last post