Re: another /usr/dt/bin/dtappgather feature!

From: Ben Collins (bmcat_private)
Date: Wed Nov 04 1998 - 18:55:50 PST

Next message: signal: "Possible mail spool problem"

Previous message: Jean Chouanard: "Re: ISS Security Advisory: Hidden community string in SNMP"
Maybe in reply to: Andrea Costantino: "another /usr/dt/bin/dtappgather feature!"
Next in thread: Mike Iglesias: "Re: another /usr/dt/bin/dtappgather feature!"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----

This isn't a permissions problem on the directories, note that his output
shows that the directory does have the new (ie. patched) permissions. I
tested this on a completely patched system (patched it right before I
tested it with the latest ones from sunsolve1). I was still able to
replicate the exploit.

On Wed, 4 Nov 1998, Casper Dik wrote:

> >There's attached the message related to this new feature..
> >the /usr/dt/bin/dtappgather program tries to read the enviroment variable
> >$DTUSERSESSION to get the name of the file to seek for.
> >The file is searched in /var/dt/appconfig/appmanager.
> >Under SunOS 5.5,5.5.1 (aka Solaris 2.5, 2.5.1) that directory is 777 or
> >01777 so you're able to make a simbolic link to the file you wish, but on
> >SunOS 5.6 (Solaris 2.6) the directory is 755 to avoid this.
> >Unfortunately the dtappgather never check the $DTUSERSESSION variable, so
> >you can use the syntax ../../.. etc... to grab the file you wish, even if
> >you can't write the /var/dt/appconfig/appmanager directory....
>
>
> Unless I'm very much mistaken, this is fixed in Solaris 7 as well as
> with the following Solaris 2.x patches:
>
> 104497-04: CDE 1.0.1: dtappgather patch
> 104498-04: CDE 1.0.2: dtappgather patch
> 104499-04: CDE 1.0.1_x86: dtappgather patch
> 104500-04: CDE 1.0.2_x86: dtappgather patch
> 105837-02: CDE 1.2: dtappgather Patch
> 105838-02: CDE 1.2_x86: dtappgather Patch
>
> (Released in March & June this year)
>
> For /var/dt permissions, you need:
>
> 103882-08: CDE 1.0.2: dtlogin patch for login authentication issues
> 103884-06: CDE 1.0.1: dtlogin patch
> 103885-06: CDE 1.0.1_x86: dtlogin patch
> 103886-07: CDE 1.0.2_x86: dtlogin patch for login authentication issues
>
> This was fixed in 2.6, but you still need to apply the following for other
> problems:
> 105703-07: CDE 1.2: dtlogin patch
> 105704-07: CDE 1.2_x86: dtlogin patch
>
>
> I'm not 100% sure the 2.5* patches will correct the permissions on
> existing directories.  They will create new directories with the proper
> permissions.
>
>
>
> Casper
>

- ------------------------------------------------
Ben Collins <b.m.collinsat_private>
UnixGroup Admin - NASA LaRC

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCVAwUBNkETvSo9WkFm9rsJAQEW7gP9H8tuViN6uX+XxqQtqHZ4aroBeDfkWuRf
aPFqHn3QErpW2gcaZU+YUjvhw7gliYh7VQVTNbPEVtA7GqRL35ldmmrSKm5IYRjV
4sFyKtZrTmOQQfqolSabVB10ox+/zMbGxpoVf+2jwHfNe6fGRhYrta2R0AGChK/c
8CL1F3weu/U=
=r60i
-----END PGP SIGNATURE-----

Next message: signal: "Possible mail spool problem"
Previous message: Jean Chouanard: "Re: ISS Security Advisory: Hidden community string in SNMP"
Maybe in reply to: Andrea Costantino: "another /usr/dt/bin/dtappgather feature!"
Next in thread: Mike Iglesias: "Re: another /usr/dt/bin/dtappgather feature!"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:22:10 PDT