J-Security Center

Title: Multiple Vendor CDE dtspcd Vulnerability

Severity: MODERATE

Description:

This explanation is quoted from the initial post on this problem by Job De Hass. This message is available in it's entirety in the 'Credit' section of this vulnerability entry.

The CDE subprocess daemon /usr/dt/bin/dtspcd contains an insufficient check on client credentials. The CDE subprocess daemon allows cross-platform invocation of applications. In order to authenticate the remote user, the daemon generates a filename which is to be created by the client and then is verified by the daemon. When verifying the created file, the daemon uses stat() instead of lstat() and is subsequently vulnerable to a symlink attack. Further more the daemon seems to allow empty usernames and then reverts to a publicly write-able directory (/var/dt/tmp).

Affected Products:

  • Open Group CDE Common Desktop Environment 1.0.1
  • Open Group CDE Common Desktop Environment 1.0.2
  • Open Group CDE Common Desktop Environment 1.1.0
  • Open Group CDE Common Desktop Environment 1.2.0
  • Open Group CDE Common Desktop Environment 2.0.0
  • Open Group CDE Common Desktop Environment 2.1.0
  • Open Group CDE Common Desktop Environment 2.1.020
  • Sun Solaris 2.5.0
  • Sun Solaris 2.5.0_x86
  • Sun Solaris 2.5.1
  • Sun Solaris 2.5.1_x86
  • Sun Solaris 2.6
  • Sun Solaris 2.6_x86
  • Sun Solaris 7.0
  • Sun Solaris 7.0_x86
  • Sun Solaris 9
  • Sun Solaris 9_x86
  • Sun Solaris 9_x86 Update 2

References:

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.