--
-- Paul A. Sand | __
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
dop = do privileged
allows to start applications as root providing the root password at the X11
based prompt
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
Hi
There was a security hole in dop sometime ago, that could be exploited
using "/usr/bin/dop crack-user=root" as you mentioned. This has been fixed
in one of the patches. The easy alternative was to remove the suid bit which
could cause some problems with accounts administration not done by root.
My suggestion is that you suspend or even remove this user of yours for this
"experiment", unless he/she has a very good reason to have tried it.
Philippe Gouffon
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
There is a security bug on dop. You MUST install
patch if you have not already done.
dop is Division of Priviledge and is used from
GUI programs under normal user for exec process
like su (ex. account administration).
Alberto Brosich
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
_______________________________________________________________________
PRODUCT: DIGITAL UNIX[TM] V4.0, V4.0A, V4.0B MARCH 6, 1997
TITLE: Division of Privilege (DoP) - Potential Security Vulnerability
SOURCE: Digital Equipment Corporation
Software Security Response Team/Colorado Springs USA
"Digital is broadly distributing this Security Advisory in order to
bring to the attention of users of Digital's products the important
security information contained in this Advisory. Digital recommends
that all users determine the applicability of this information to
their individual situations and take appropriate action.
Digital does not warrant that this information is necessarily
accurate or complete for all user situations and, consequently,
Digital will not be responsible for any damages resulting from
user's use or disregard of the information provided in this
Advisory."
- ----------------------------------------------------------------------
IMPACT:
Digital has discovered a potential vulnerability with the
Division of Privilege (DoP), "/usr/sbin/dop" for DIGITAL UNIX
V4.0, V4.0A and V4.0B, where under certain circumstances,
an unauthorized user may gain unauthorized privileges. Digital
strongly recommends that the workaround be implemented
immediately for any version affected, and that the
appropriate patch kit be installed as soon as it becomes
available.
- ----------------------------------------------------------------------
RESOLUTION:
This potential security issue has been resolved and an
official fix for this problem will be made available
beginning the 13th of March 1997. As the patches become
available per affected version, Digital will provide them
through:
o the World Wide Web at the following FTP address:
ftp://ftp.service.digital.com/public/
the sub directory Digital_UNIX, key identifier SSRT0435U
Note: [1]The patch kits mentioned above will be replaced in
the near future through normal patch release
procedures.
[2]The appropriate patch kit must be reinstalled
following any upgrade beginning with V4.0
up to and including V4.0b.
- ----------------------------------------------------------------------
TEMPORARY WORKAROUND:
Prior to receiving the official patch for this fix, a
temporary workaround for this problem is to clear the
setuid bit from the /usr/sbin/dop command as follows:
# chmod 0 /usr/sbin/dop
This temporary workaround will resolve the security issue,
but will also defeat DoP's purpose. See "ADDITIONAL
COMMENTS" below for the purpose of DoP, the effect of
using this temporary workaround, and what to do as a
solution while using this temporary workaround.
- ----------------------------------------------------------------------
ADDITIONAL COMMENTS:
The DoP command is used to provide non-root users with the
ability to enter the root password to access the graphical
system management applications via the CDE application
manager or the Host Manager. When a non-root user
attempts to execute a system management application
through one of these applications, the user will be
prompted with a password dialog. If the user enters the
correct root password, they will gain root privilege while
running the given application.
If the setuid bit is cleared from /usr/sbin/dop, then
users will not be able to access the system management
applications from either the CDE application manager or
the Host Manager.
The following are workarounds to allow users to run the
graphical system management applications with DoP
disabled:
[1] Log into a CDE session as root and access the system
management applications.
[2] If logged in as a normal user, become root in your
preferred X-based terminal emulator (xterm, dxterm, dtterm,
etc.) and run the graphical system management application
via the command line.
If you need further information, please contact your
normal DIGITAL support channel.
DIGITAL appreciates your cooperation and patience. We
regret any inconvenience applying this information may cause.
__________________________________________________________________
Copyright (c) Digital Equipment Corporation, 1995 All
Rights Reserved.
Unpublished Rights Reserved Under The Copyright Laws Of
The United States.
__________________________________________________________________
--------------------------------------------------------------------------------
2. 04.03.97: Anthony McGarr : Serious 4.0 a,b hole -----ADVISORY----
Anyone can now grab root through a shell, anyone know what dop is used for?
We tried this and it works!!!! Anyone have a patch???
In Norwegian dop is another word for drug, such as in drug abuse (dop
missbruk). In DEC Unix 4.0, 4.0A and 4.0B you will find /usr/sbin/dop
setuid root.
-------------------------cut here------------------------------------
...
-------------------------cut here------------------------------------
run this script and get a free root shell.
Anthony McGarr
Delphi SuperNet
--------------------------------------------------------------------------------
3. 04.03.97: Anthony McGarr : Temp Fix for exploit
I think that this is important enough to rebroadcast to the list
Both Digital Finland and Canada are on it, and we should have a fix soon!!!
Thanks Jari,
This problem has now been reported, and we expect to get an
answer with good resolution. As a temporary workaround, you
can set the dop command suid bit off:
# chmod 611 dop
I'm not sure of dop's background, but I'm sure we get better
answers on that soon! Anyway, DOP is abbreviation of "Department
Of Personnel", and is part of the SysMan management toolset. I haven't
tested yet what it might break removing the suid bit, but in worst
case you may loose some of the GUI system management features.
regards, Jari Tavi Digital Finland
--------------------------------------------------------------------------------
4. 04.03.97: Dr. Tom Blinn : Security quick fix: Change prot. on /usr/sbin/dop
On our production systems, the /usr/sbin/dop utility is protected thus:
ls -l /usr/sbin/dop
-r-x------ 1 root bin 40960 Nov 16 06:34 /usr/sbin/dop
I would strongly recommend you make the same fix on your systems. With
this change, an attempt by anyone other than root to execute dop yields:
/usr/sbin/dop: cannot execute
The /usr/sbin/dop utility appears to be used by the new system management
GUI components that were introduced in V4.0.
Tom
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
Received on Thu Nov 19 1998 - 15:33:38 NZDT
This archive was generated by hypermail 2.4.0 : Wed Nov 08 2023 - 11:53:38 NZDT