In order to authenticate the remote user, the daemon generates a filename which is to be created by the client and then is verified by the daemon. When verifying the created file, the daemon uses stat() instead of lstat() and is subsequently vulnerable to a symlink attack. Further more the daemon seems to allow empty usernames and then reverts to a publicly writeable directory (/var/dt/tmp). The process can be followed fairly well by setting the -log and -debug options on dtspcd (in /etc/inetd.conf). It will create a log file in /var/dt/tmp/DTSPCD.log. This will show information like:
Both these bugs can be combined to convince dtspcd it should execute an action as root.
The script below performs all necessary actions on a Solaris host. It makes use of the dtaction command of which the behavior is modified by pre-loading a shared library with modified libc functions.
Another "feature" of dtspcd, is that it will allow remote access to all systems that share NFS exported home directories without requesting a password.
Affected systems:
The only systems that were verified to contain the mentioned hole were:
Solaris 7, 2.6, 2.5.1
However it is strongly suspected that most systems running CDE are vulnerable.
