The session manager dtsession contains overflow vulnerability when parsing the environment variable TT_SESSION.
Due to the fact that dtsession is running setuid root and does not remove the root privilege (at least as tested on Solaris), the overflow can lead to local root compromise.
Credit:
This vulnerability has been found by: Job de Haas
Background:
The dtsession program performs session management for CDE. It does this in cooperation with ToolTalk. The ToolTalk library parses an environment string that informs it of an already running ttsession daemon. When parsing this environment variable it fails to check the size before calling sscanf().
When a string larger than 280 bytes is used for the IP address (10.0.0.10), it will overflow, and smash the stack.
Possible workaround:
Removing the setuid bit would lead to failure of the password checking when unlocking a screen (due to the shadow file being only readable by root). For personal workstation use this might be acceptable.
Affected Systems:
dtsession is part of CDE which is used by multiple UNIX vendors (among others: Sun, HP, Compaq (Digital), IBM, Novell, SCO)
It looks like most systems running CDE are vulnerable, although the only systems that were verified were Solaris 7, 2.6, 2.5.1.
