mailing list archives
Re: Solaris2.5.1 dtlogin core
From: andrewh () WPI EDU (Andrew Hobgood)
Date: Thu, 24 Jul 1997 22:53:18 -0400
The other day, I noticed a mod 644 core file in the root directory of
the Solaris machine. adb said it was dtlogin which had died of
Along the lines of CDE's seemingly twisted modes on support the core file,
I had found a bug a while back on the DECUnix/OSF1 implementation of CDE.
In a CDE user's .dt/ directory, there are multiple world-writeable files
which have the potential to be used for denial of service attacks.
.dt/Trash contains a file .trashinfo, which is mod 666, and can be
easily filled with random data to force a user's quota to be filled, or,
in the case that the file is owned by root (other than root shouldn't be
running CDE anyway), can be used to fill up the entire drive.
After this bug was fixed, I discovered more files which were also mod 666.
Such files included the .dt/palettes/*.dp files.
Equally bothersome is the fact that if the files remain 666, they can also
be read, not only written to by malicious users. I don't know a whole lot
about what gets stored in the .trashinfo file, but if trashed files are
stored there, they could be read (and modified, for when they are later
dragged out of the trash). Also, the .dt/tmp directory contains files
which belonged to the user running the session, and are 644. Once again,
sensitive data could be retrieved by looking through these directories...
a simple 'find' in the .dt directory of a CDE user yields a fun little
list of goodies.
I notified the administrators of the system upon which I found these
"bugs" originally, and they claimed that they were contacting DEC about
it, although I now wonder whether they did (I first alerted them to it
back in December).
--=[ Andrew Hobgood
earth:~# shutdown --apocalypse 5 `/bin/cat ~/apocalype.msg`
Broadcast message from god (console) Wed May 16 13:45:22 2000...
Earth is shutting down in 5 minutes for a system upgrade. All users please
log out or transfer to heaven.god.net or hell.god.net. Thank you.
Re: CPSR 7: IRIX WWW Server Lamont Granquist (Jul 24)
Solaris2.5.1 dtlogin core Arve Kjoelen (Jul 24)
Sun Security Bulletin #00147 Aleph One (Jul 25)
- Re: Solaris2.5.1 dtlogin core Andrew Hobgood (Jul 25)