CERT
 
US-CERT Vulnerability Notes Database CERT Statistics Vulnerability Disclosure Policy CERT Knowledgebase Courses Link to US-CERT cylab
 

CERT® Advisory CA-1998-02 Vulnerabilities in CDE

Original issue date: January 21, 1998
Last revised: June 18, 1998
Minor editorial changes.

A complete revision history is at the end of this file.

The CERT Coordination Center has received reports of several vulnerabilities in some implementations of the Common Desktop Environment (CDE). The root cause of these vulnerabilities is that the dtappgather program does not adequately check all information passed to it by users. As a result, it is possible for a local user to gain unauthorized privileged access or cause a denial of service on the system.

We recommend installing a vendor patch as soon as possible. Until you can do so, we encourage you to disable vulnerable copies of the program. Section III.A. of this advisory contains information on checking for potentially vulnerable copies and disabling them. Section III.B and the appendix contains vendor information.

We will update this advisory as we receive additional information. Please check our advisory files regularly for updates that relate to your site.

I. Description

There are several vulnerabilities in some implementations of the Common Desktop Environment (CDE). The root cause of these vulnerabilities is that the setuid root program "dtappgather" does not adequately check all information passed to it by users. By exploiting these vulnerabilities, an attacker can gain either unauthorized privileged access or cause a denial of service on the system.

II. Impact

Local users are able to gain write access to arbitrary files. This can be leveraged to gain privileged access.

Local users may also be able to remove files from arbitrary directories, thus causing a denial of service.

III. Solution

We recommend installing a vendor patch as soon as possible and disabling the vulnerable program until you can do so. Instructions for determining whether you have a potentially vulnerable version of this program are given in Section A. Vendor patches are discussed in Section B.

  1. How to check for and disable potentially vulnerable versions of dtappgather

    2. To find potentially vulnerable versions of dtappgather and to disable those programs, use the following find(1) command or a variant. Consult your local system documentation to determine how to tailor the find(1) program on your system.

    You will need to run the find(1) command on each system you maintain because the command examines files on local disks only. Substitute the names of your local file systems for FILE_SYSTEM_NAMES in the example. Example local file system names are /, /usr, and /var. You should do this as root.

    Note that this is one long command, though we have separated it onto three lines using backslashes. 

    	       find FILE_SYSTEM_NAMES -xdev -type f -user root \
		      -name 'dtappgather' -perm -04000 -exec ls -l '{}' \; \
		      -ok chmod u-s '{}' \;

    This command will find all files on a system that

    • are only in the file systems you name (FILE_SYSTEM_NAMES -xdev)
    • are regular files (-type f)
    • are owned by root (-user root)
    • have the name "dtappgather" (-name 'dtappgather')
    • are setuid (-perm -04000)

    Once found, those files will

    • have their names and details printed (-exec ls -l '{}')
    • no longer be setuid root, but only if you type `y' in response to the prompt (-ok chmod u-s '{}' \;)

    Until you are able to install the appropriate patch, we recommend that you remove the setuid bit from the dtappgather program. Note that doing this will affect the functionality of the dtappgather program for some users. For example, newly created users that have not logged into the CDE desktop may not have any icons in the Application Manager window; existing users may not notice any change in functionality.

  2. Obtain and install a patch for this problem.

    3. If your vendor has a patch for this problem, we encourage you to apply the patch as soon as possible.

    Appendix A contains a list of vendors who have provided information about this problem. We will update the appendix as we receive more information. If you do not see your vendor's name, the CERT/CC did not hear from that vendor. Please contact your vendor directly.

Appendix A - Vendor Information

Below is a list of the vendors who have provided information for this advisory. We will update this appendix as we receive additional information. If you do not see your vendor's name, the CERT/CC did not hear from that vendor. Please contact the vendor directly.

Digital Equipment Corporation

At the time of writing this document, patches(binary kits) are in progress. Distribution of the fix for this problem is expected to begin soon. Digital will provide notice of the completion/availability of the patches through AES services (DIA, DSNlink FLASH) and be available from your normal Digital Support channel.

Hewlett-Packard Company

This problem is addressed HP Security Bulletin 075. This bulletin can be found at one of these URLs:

(for US, Canada, Asia-Pacific, & Latin-America)
http://us-support.external.hp.com

(for Europe)
http://europe-support.external.hp.com

Security Bulletin 075: Security Vulnerability in CDE on HP-UX 

    PLATFORM: HP9000 Series 700/800s running CDE on:
	    HP-UX 10.10, HP-UX 10.20,
	    HP-UX 10.24 (VVOS),
	    HP-UX 11.00

    SOLUTION:  Apply one of:
	     PHSS_13723  HP-UX 10.10
	     PHSS_13724  HP-UX 10.20
	     PHSS_13725  HP-UX 10.30
	     PHSS_13772  HP-UX 10.24
	     PHSS_13406  HP-UX 11.00

IBM Corporation

The version of dtappgather shipped with AIX is vulnerable. The following fixes are in progress: 
    AIX 3.2:  not vulnerable; CDE not shipped in 3.2
    AIX 4.1:  IX73436
    AIX 4.2:  IX73437
    AIX 4.3:  IX73438

To Order:

APARs may be ordered using Electronic Fix Distribution (via FixDist) or from the IBM Support Center. For more information on FixDist, reference URL:

http://service.software.ibm.com/aixsupport/

or send e-mail toaixserv@austin.ibm.com with a subject of "FixDist".

IBM and AIX are registered trademarks of International Business Machines Corporation.

The Open Group

The Open Group is investigating this vulnerability, and if reproduced will develop a solution and provide a patch for its CDE licensees.

Siemens-Nixdorf Informationssysteme AG

Siemens-Nixdorf provides the TED desktop by TriTeal Corporation as CDE product. TED contains the vulnerable program "dtappgather". We informed TriTeal about this.

Please note: First level support for the TED desktop is done by Siemens-Nixdorf Informationssysteme.

Silicon Graphics, Inc.

Silicon Graphics provides only the third party TriTeal CDE product.

Triteal Corporation provides all support on the SGI offered CDE product. Customers requiring support on the SGI CDE product should contact TriTeal Corporation at 1-800-874-8325, or email support@triteal.com.

For other Silicon Graphics related security information, please see the SGI Security Headquarters website located at:

http://www.sgi.com/Support/security/security.html

Sun Microsystems, Inc.

	  Sun has released the following patches:

		  Patch           CDE version

		  105837-01       1.2
		  105838-01       1.2_x86
		  104498-02       1.02
		  104500-02       1.02_x86
		  104497-02       1.01
		  104499-02       1.01_x86

	  The above patches are available at:

		  http://sunsolve.sun.com/sunsolve/pubpatches.html

This document is available from: http://www.cert.org/advisories/CA-1998-02.html

CERT/CC Contact Information

Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.

CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.

Using encryption

We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from

If you prefer to use DES, please call the CERT hotline for more information.

Getting security information

CERT publications and other security information are available from our web site

* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.

NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.

Conditions for use, disclaimers, and sponsorship information

Copyright 1998 Carnegie Mellon University.

Revision History 
June 18, 1998  Minor editorial changes.
Feb. 12, 1998  Added information for Siemens-Nixdorf Informationssysteme AG.
Jan. 29, 1998  Updated vendor information for Sun.