I just installed this patch and noticed a major omission in the instructions for the installation of the patch. Here are the instructions from the README: # cd /usr/dt/bin # cp /patches/dtaction dtaction.new # chown root:system dtaction.new # chmod 6555 dtaction.new # ln dtaction dtaction.orig # mv dtaction.new dtaction The major problem is that it leaves the dtaction.orig file (the one with the overflow) setuid to root. Some admins will notice it, some won't... Solution? chmod 0100 /usr/dt/bin/dtaction.orig BTW, anyone know a general security address @ compaq where I can send info like this? I cannot seem to find one... --Eric On Thu, 16 Sep 1999, Zack Hubert wrote: >Hello, > >I have verified that the dtaction vulnerability in CDE can be exploited for >local root compromise on Digital Unix systems. > >Background >-------------- >This is a followup to the issue first introduced by Job de Haas on the >buffer overflow present within /usr/dt/bin/dtaction. He had verified that >the problem exists on Solaris 7, 2.6, 2.5.1. Lamont Granquist then posted a >followup saying it was exploitable on Digital Unix's implementation of CDE. >I have found Lamont's original assessment to be correct. > >Workaround >--------------- >Use the patch (ssrt0615u_dtaction) available from Digital at >http://ftp.service.digital.com/public/Digital_UNIX/. > >Code >------ >Note: This was all written by Lamont Granquist and distributed under >previous Digital Unix overflows. There is a slight modification however. >Compile smashdu, change the perl script to match your location, put some >kind of paperweight on your enter key (believe me!), and voila, root. > >Sincerely, > >Zack Hubert (zhubertat_private) >UW Physicians Network - Unix Administrator > > -- Eric Gatenby | PGP Keys: 0x0B9761F5 (1024/RSA) egatenbyat_private | 0x9EA39CC7 (3072/DSS) http://www.pobox.com/~egatenby/ | Web page or key server *** NOTE NEW EMAIL ADDRESS ***
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:04:23 PDT