An unpatched version of dtappgather may assist in gaining root by allowing local users (unprivileged) to change the security settings of virtually any file on a SunOS system (5.5 & 5.5.1 reported to be affected) to world executable (-r-xr-xr-x), making it easy to email the '/etc/passwd' file or '/etc/shadow' file to anyone.
CDE version 1.0.2 (and earlier) contain a program called 'dtappgather' which when runed looks for a file called '/var/dt/appconfig/appmanager/generic-display-0', while it access this file, it doesn't check to see whether it exists or not, and changes the permission settings of this file to (-r-xr-xr-x). It is able to change any permission of a file on the system because it is set to set-id root.
By simply running the following commands on an unpatched system you can gain access to the '/etc/passwd' file on a SunOS system:
1) ln -s /etc/passwd /var/dt/appconfig/appmanager/generic-display-0
2) dtappgather
It is also possible to exploit the system by issuing the following command:
1) env DTUSERSESSION=../../../../../../../etc/shadow dtappgather
Although a patch was issued by CERT (CA-98.02) the problem still exist.
