what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

CA-98.02.CDE

CA-98.02.CDE
Posted Sep 14, 1999

This advisory reports several vulnerabilities in some implementations of the Common Desktop Environment (CDE).

tags | vulnerability
SHA-256 | edc037e7bd7f7b92a005d2801e59e98211a145f5cfbacf8542e2ca9eeb696139

CA-98.02.CDE

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----

=============================================================================
CERT* Advisory CA-98.02
Original issue date: Jan. 21, 1998
Last revised: June 18, 1998
Minor editorial changes.

A complete revision history is at the end of this file.

Topic: Vulnerabilities in CDE
- -----------------------------------------------------------------------------

The CERT Coordination Center has received reports of several vulnerabilities
in some implementations of the Common Desktop Environment (CDE). The root
cause of these vulnerabilities is that the dtappgather program does not
adequately check all information passed to it by users. As a result, it is
possible for a local user to gain unauthorized privileged access or cause a
denial of service on the system.

We recommend installing a vendor patch as soon as possible. Until you can do
so, we encourage you to disable vulnerable copies of the program. Section
III.A. of this advisory contains information on checking for potentially
vulnerable copies and disabling them. Section III.B and the appendix contain
vendor information.

We will update this advisory as we receive additional information. Please
check our advisory files regularly for updates that relate to your site.

- -----------------------------------------------------------------------------

I. Description

There are several vulnerabilities in some implementations of the Common
Desktop Environment (CDE). The root cause of these vulnerabilities is
that the setuid root program "dtappgather" does not adequately check all
information passed to it by users. By exploiting these vulnerabilities,
an attacker can gain either unauthorized privileged access or cause a
denial of service on the system.


II. Impact

Local users are able to gain write access to arbitrary files. This can be
leveraged to gain privileged access.

Local users may also be able to remove files from arbitrary directories,
thus causing a denial of service.


III. Solution

We recommend installing a vendor patch as soon as possible and disabling
the vulnerable program until you can do so. Instructions for determining
whether you have a potentially vulnerable version of this program are
given in Section A. Vendor patches are discussed in Section B.

A. How to check for and disable potentially vulnerable versions of
dtappgather

To find potentially vulnerable versions of dtappgather and to
disable those programs, use the following find(1) command or a
variant. Consult your local system documentation to determine how
to tailor the find(1) program on your system.

You will need to run the find(1) command on each system you
maintain because the command examines files on local disks only.
Substitute the names of your local file systems for
FILE_SYSTEM_NAMES in the example. Example local file system names
are /, /usr, and /var. You should do this as root.

Note that this is one long command, though we have separated
it onto three lines using backslashes.

find FILE_SYSTEM_NAMES -xdev -type f -user root \
-name 'dtappgather' -perm -04000 -exec ls -l '{}' \; \
-ok chmod u-s '{}' \;

This command will find all files on a system that
- are only in the file systems you name (FILE_SYSTEM_NAMES -xdev)
- are regular files (-type f)
- are owned by root (-user root)
- have the name "dtappgather" (-name 'dtappgather')
- are setuid (-perm -04000)

Once found, those files will
- have their names and details printed (-exec ls -l '{}')
- no longer be setuid root, but only if you type `y' in
response to the prompt (-ok chmod u-s '{}' \;)


Until you are able to install the appropriate patch, we recommend
that you remove the setuid bit from the dtappgather program. Note
that doing this will affect the functionality of the dtappgather
program for some users. For example, newly created users that have
not logged into the CDE desktop may not have any icons in the
Application Manager window; existing users may not notice any
change in functionality.


B. Obtain and install a patch for this problem.

If your vendor has a patch for this problem, we encourage you to
apply the patch as soon as possible.

Appendix A contains a list of vendors who have provided information
about this problem. We will update the appendix as we receive more
information. If you do not see your vendor's name, the CERT/CC did
not hear from that vendor. Please contact your vendor directly.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Appendix A - Vendor Information

Below is a list of the vendors who have provided information for this
advisory. We will update this appendix as we receive additional information.
If you do not see your vendor's name, the CERT/CC did not hear from that
vendor. Please contact the vendor directly.


Digital Equipment Corporation
- ------------------------------

At the time of writing this document, patches(binary kits) are in
progress. Distribution of the fix for this problem is expected to begin
soon. Digital will provide notice of the completion/availability of the
patches through AES services (DIA, DSNlink FLASH) and be available from
your normal Digital Support channel.


Hewlett-Packard Company
- -----------------------

This problem is addressed HP Security Bulletin 075. This bulletin can be
found at one of these URLs:

https://us-support.external.hp.com
(for US, Canada, Asia-Pacific, & Latin-America)

https://europe-support.external.hp.com
(for Europe)

Security Bulletin 075: Security Vulnerability in CDE on HP-UX

PLATFORM: HP9000 Series 700/800s running CDE on:
HP-UX 10.10, HP-UX 10.20,
HP-UX 10.24 (VVOS),
HP-UX 11.00

SOLUTION: Apply one of:
PHSS_13723 HP-UX 10.10
PHSS_13724 HP-UX 10.20
PHSS_13725 HP-UX 10.30
PHSS_13772 HP-UX 10.24
PHSS_13406 HP-UX 11.00


IBM Corporation
- ---------------

The version of dtappgather shipped with AIX is vulnerable. The
following fixes are in progress:

AIX 3.2: not vulnerable; CDE not shipped in 3.2
AIX 4.1: IX73436
AIX 4.2: IX73437
AIX 4.3: IX73438

To Order
--------
APARs may be ordered using Electronic Fix Distribution (via FixDist)
or from the IBM Support Center. For more information on FixDist,
reference URL:

https://service.software.ibm.com/aixsupport/

or send e-mail to aixserv@austin.ibm.com with a subject of "FixDist".


IBM and AIX are registered trademarks of International Business Machines
Corporation.


The Open Group
- --------------

The Open Group is investigating this vulnerability, and if reproduced
will develop a solution and provide a patch for its CDE licensees.


Siemens-Nixdorf Informationssysteme AG
- --------------------------------------

Siemens-Nixdorf provides the TED desktop by TriTeal Corporation as CDE
product. TED contains the vulnerable program "dtappgather". We informed
TriTeal about this.

Please note: First level support for the TED desktop is done by
Siemens-Nixdorf Informationssysteme.


Silicon Graphics, Inc.
- ----------------------

Silicon Graphics provides only the third party TriTeal CDE product.

Triteal Corporation provides all support on the SGI offered CDE product.
Customers requiring support on the SGI CDE product should contact TriTeal
Corporation at 1-800-874-8325, or email support@triteal.com.

For other Silicon Graphics related security information, please see the
SGI Security Headquarters website located at:

https://www.sgi.com/Support/security/security.html


Sun Microsystems, Inc.
- ----------------------

Sun has released the following patches:

Patch CDE version

105837-01 1.2
105838-01 1.2_x86
104498-02 1.02
104500-02 1.02_x86
104497-02 1.01
104499-02 1.01_x86

The above patches are available at:

https://sunsolve.sun.com/sunsolve/pubpatches.html

- -----------------------------------------------------------------------------

If you believe that your system has been compromised, contact the CERT
Coordination Center or your representative in the Forum of Incident Response
and Security Teams (see https://www.first.org/team-info/).


CERT/CC Contact Information
- ----------------------------
Email cert@cert.org

Phone +1 412-268-7090 (24-hour hotline)
CERT personnel answer 8:30-5:00 p.m. EST(GMT-5) / EDT(GMT-4)
and are on call for emergencies during other hours.

Fax +1 412-268-6989

Postal address
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
USA

Using encryption
We strongly urge you to encrypt sensitive information sent by email. We can
support a shared DES key or PGP. Contact the CERT/CC for more information.
Location of CERT PGP key
ftp://ftp.cert.org/pub/CERT_PGP.key

Getting security information
CERT publications and other security information are available from
https://www.cert.org/
ftp://ftp.cert.org/pub/

CERT advisories and bulletins are also posted on the USENET newsgroup
comp.security.announce

To be added to our mailing list for advisories and bulletins, send
email to
cert-advisory-request@cert.org
In the subject line, type
SUBSCRIBE your-email-address

- ---------------------------------------------------------------------------

Copyright 1998 Carnegie Mellon University. Conditions for use, disclaimers,
and sponsorship information can be found in
https://www.cert.org/legal_stuff.html and ftp://ftp.cert.org/pub/legal_stuff .
If you do not have FTP or web access, send mail to cert@cert.org with
"copyright" in the subject line.

*CERT is registered in the U.S. Patent and Trademark Office.

- ---------------------------------------------------------------------------

This file: ftp://ftp.cert.org/pub/cert_advisories/CA-98.02.CDE
https://www.cert.org/pub/alerts.html



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision history

June 18, 1998 Minor editorial changes.

Feb. 12, 1998 Added information for Siemens-Nixdorf Informationssysteme AG.

Jan. 29, 1998 Updated vendor information for Sun.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBNYkj2HVP+x0t4w7BAQHV4gP/abzvmjI7ACVE3fVcnrVCp9C255E+eYM3
uSdJXWCpJyuNDxuYyJ7j0OHHq72jPA9ZmEwE94l7QiEmt8fvKPaVruM00/C5mPL4
VsxEpHQmCMY65PKsby3Ri9pjXinRIIH9hO/dzbRx6bgqqQpL7l0ztS9YIt6e1ttf
/rhXKK1kpeY=
=pM6E
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close