Here's an update on the dtappgather root exploit I posted earlier today:
The patch in 4.0D patch kit 2 fixes the part of the bug that changes
the ownership of any file to the user running dtappgather, but it does
*NOT* fix the part that changes the protection on the file. For
example, when I tried it using /etc/passwd as the target, the owner
stayed the same but the protection changed from 644 to 555. This is
still a problem, in that you can get read access to any file on the
system.
I checked patch kit 8 for 4.0B, and it's the same as the patched 4.0D
dtappgather.
I still suggest turning off the suid bit on dtappgather until we
get a fix from Digital. I will be reporting this to Digital.
Mike Iglesias Internet: iglesias_at_draco.acs.uci.edu
University of California, Irvine phone: 949-824-6926
Office of Academic Computing FAX: 949-824-2069
Received on Wed Nov 04 1998 - 22:46:26 NZDT