I just installed this patch and noticed a major omission in the instructions
for the installation of the patch.
Here are the instructions from the README:
# cd /usr/dt/bin
# cp /patches/dtaction dtaction.new
# chown root:system dtaction.new
# chmod 6555 dtaction.new
# ln dtaction dtaction.orig
# mv dtaction.new dtaction
The major problem is that it leaves the dtaction.orig file (the one with the
overflow) setuid to root. Some admins will notice it, some won't...
Solution? chmod 0100 /usr/dt/bin/dtaction.orig
BTW, anyone know a general security address @ compaq where I can send info
like this? I cannot seem to find one...
--Eric
On Thu, 16 Sep 1999, Zack Hubert wrote:
>Hello,
>
>I have verified that the dtaction vulnerability in CDE can be exploited for
>local root compromise on Digital Unix systems.
>
>Background
>--------------
>This is a followup to the issue first introduced by Job de Haas on the
>buffer overflow present within /usr/dt/bin/dtaction. He had verified that
>the problem exists on Solaris 7, 2.6, 2.5.1. Lamont Granquist then posted a
>followup saying it was exploitable on Digital Unix's implementation of CDE.
>I have found Lamont's original assessment to be correct.
>
>Workaround
>---------------
>Use the patch (ssrt0615u_dtaction) available from Digital at
>http://ftp.service.digital.com/public/Digital_UNIX/.
>
>Code
>------
>Note: This was all written by Lamont Granquist and distributed under
>previous Digital Unix overflows. There is a slight modification however.
>Compile smashdu, change the perl script to match your location, put some
>kind of paperweight on your enter key (believe me!), and voila, root.
>
>Sincerely,
>
>Zack Hubert ([EMAIL PROTECTED])
>UW Physicians Network - Unix Administrator
>
>
--
Eric Gatenby | PGP Keys: 0x0B9761F5 (1024/RSA)
[EMAIL PROTECTED] | 0x9EA39CC7 (3072/DSS)
http://www.pobox.com/~egatenby/ | Web page or key server
*** NOTE NEW EMAIL ADDRESS ***
