-----BEGIN PGP SIGNED MESSAGE----- This isn't a permissions problem on the directories, note that his output shows that the directory does have the new (ie. patched) permissions. I tested this on a completely patched system (patched it right before I tested it with the latest ones from sunsolve1). I was still able to replicate the exploit. On Wed, 4 Nov 1998, Casper Dik wrote: > >There's attached the message related to this new feature.. > >the /usr/dt/bin/dtappgather program tries to read the enviroment variable > >$DTUSERSESSION to get the name of the file to seek for. > >The file is searched in /var/dt/appconfig/appmanager. > >Under SunOS 5.5,5.5.1 (aka Solaris 2.5, 2.5.1) that directory is 777 or > >01777 so you're able to make a simbolic link to the file you wish, but on > >SunOS 5.6 (Solaris 2.6) the directory is 755 to avoid this. > >Unfortunately the dtappgather never check the $DTUSERSESSION variable, so > >you can use the syntax ../../.. etc... to grab the file you wish, even if > >you can't write the /var/dt/appconfig/appmanager directory.... > > > Unless I'm very much mistaken, this is fixed in Solaris 7 as well as > with the following Solaris 2.x patches: > > 104497-04: CDE 1.0.1: dtappgather patch > 104498-04: CDE 1.0.2: dtappgather patch > 104499-04: CDE 1.0.1_x86: dtappgather patch > 104500-04: CDE 1.0.2_x86: dtappgather patch > 105837-02: CDE 1.2: dtappgather Patch > 105838-02: CDE 1.2_x86: dtappgather Patch > > (Released in March & June this year) > > For /var/dt permissions, you need: > > 103882-08: CDE 1.0.2: dtlogin patch for login authentication issues > 103884-06: CDE 1.0.1: dtlogin patch > 103885-06: CDE 1.0.1_x86: dtlogin patch > 103886-07: CDE 1.0.2_x86: dtlogin patch for login authentication issues > > This was fixed in 2.6, but you still need to apply the following for other > problems: > 105703-07: CDE 1.2: dtlogin patch > 105704-07: CDE 1.2_x86: dtlogin patch > > > I'm not 100% sure the 2.5* patches will correct the permissions on > existing directories. They will create new directories with the proper > permissions. > > > > Casper > - ------------------------------------------------ Ben Collins <b.m.collinsat_private> UnixGroup Admin - NASA LaRC -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQCVAwUBNkETvSo9WkFm9rsJAQEW7gP9H8tuViN6uX+XxqQtqHZ4aroBeDfkWuRf aPFqHn3QErpW2gcaZU+YUjvhw7gliYh7VQVTNbPEVtA7GqRL35ldmmrSKm5IYRjV 4sFyKtZrTmOQQfqolSabVB10ox+/zMbGxpoVf+2jwHfNe6fGRhYrta2R0AGChK/c 8CL1F3weu/U= =r60i -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:22:10 PDT