Re: [cdesktopenv-devel] CDE 2.3.2 has been released
Hi, FWIW, here are two releases from Marco that might shed more light: https://techblog.mediaservice.net/2020/01/local-privilege-escalation-via-cde-dtsession/ https://github.com/0xdea/advisories/blob/master/2020-02-cde-dtsession.txt which includes a link to the Solaris POC. -jon On 1/14/20 5:37 PM, Jon Trulson wrote: > Hi, > > This is a quick release of CDE 2.3.2. It is the same as CDE 2.3.1, > except that a patch has been applied to correct some potentially > exploitable buffer overruns in dtsession and DtSvc. dtsession runs > SUID root. > > This release of CDE was timed to occur after the embargo period > defined by the release of related patches by Oracle for their version > of CDE, which was to have occurred at 1PM today (Jan 14). > > The currently unreleased POC (Proof of Concept) exploit code only > works on the Oracle version of CDE. It exploits stack based buffer > overflows in dtsession to provide a root shell to a local unprivileged > user. > > Oracle is using the v1.x source base, where we are using the 2.x > base. In the Solaris version, these overflowed variables reside on > the stack. In our CDE, they reside on the heap, which makes things > somewhat more difficult to exploit. > > There are 3 vulnerabilities, of which only two would apply to us. > > For this reason, a patch has been pushed to master that should address > these issues. Since master is not yet stable enough for a release, we > (Peter and I) decided a 2.3.2 release with this patch was warranted > just to be overly cautious. > > To be clear: Current opensource CDE is not vulnerable to the POC, and > of the 3 issues, only two could be exploited in previous versions with > a significant amount of work. However for someone with the skills and > the time... > > Here is a link to the master commit if you are curious: > > https://sourceforge.net/p/cdesktopenv/code/ci/6b32246d06ab16fd7897dc344db69d0957f3ae08/ > > The real horror here is that the original programmers clearly did not > understand how strncat() works :) > > What follows is the text of the commit: > > dtsession, DtSvc: fix CVE-2020-2696/VU#308289 > > Marco Ivaldi has identified 3 > vulnerabilities in CDE. > > Two of them could affect our CDE (open-source version), while the 3rd > (sdtcm_convert) is Solaris specific. > > The two vulnerabilities, both of which affect dtsession could allow a > local privilege escalation to root. A POC exists for Solaris. The > POC will not function on our CDE for two main reasons: > > - the POC is Solaris specific > - The overflowed variables in question are allocated on the heap, > whereas in Solaris these variables are located on the stack. > > The first vulnerability allows an extra long palette name to be used > to cause a crash via insufficient validation in > SrvPalette.c:CheckMonitor(). > > The second, which has not yet been assigned a CERT CVE resides in > SmCreateDirs.c:_DtCreateDtDirs() in libDtSvc. Due to insufficient > bounds checking, a crash or corruption can be achieved by using a very > long DISPLAY name. > > This one is considered difficult to exploit, and no POC code is > available at this time. CDE 2.x code-bases are also listed as not > vulnerable, however some work has been done anyway to do some proper > bounds checking in these functions. > > The following text portions are copied from the relevant advisories, > which have not been released as of this writing. > > NOTE: Oracle CDE does NOT use CDE 2.3.0a or earlier as mentioned > below. They are completely different code-bases): > > Regarding CVE-2020-2692: > > A buffer overflow in the CheckMonitor() function in the Common > Desktop Environment 2.3.0a and earlier, as distributed with Oracle > Solaris 10 1/13 (Update 11) and earlier, allows local users to gain > root privileges via a long palette name passed to dtsession in a > malicious .Xdefaults file. > > Note that Oracle Solaris CDE is based on the original CDE 1.x train, > which is different from the CDE 2.x codebase that was later open > sourced. Most notably, the vulnerable buffer in the Oracle Solaris > CDE is stack-based, while in the open source version it is > heap-based. > > Regarding the DtSvc bug, which does not currently have a CERT CVE: > > A difficult to exploit stack-based buffer overflow in the > _DtCreateDtDirs() function in the Common Desktop Environment version > distributed with Oracle Solaris 10 1/13 (Update 11) and earlier may > allow local users to corrupt memory and potentially execute > arbitrary code in order to escalate privileges via a long X11 > display name. The vulnerable function is located in the libDtSvc > library and can be reached by executing the setuid program > dtsession. > > The
Re: [cdesktopenv-devel] CDE 2.3.2 has been released
On 1/15/20 3:04 PM, Swift Griggs wrote: > > Jon this whole situation with Solaris having it's own code base which > goes back to 1.x. I'm curious if that is why there are a lot of tools > and utils (mostly ones starting with "sd") which aren't part of the > open source version? > Yes - Sun used the 1.x base, and made many modifucations and added several of their own home-grown tools. > Ie.. they must have made those tools specifically for their version of > CDE and thus they never saw the "light of day" since Solaris never > open sourced their CDE. > Correct. > Also, what was the deal back in the OpenSolaris days before Oracle > killed it? Did that codebase have CDE? I also wonder about Illumos. Do > they still have a CDE codebase, too? I'm guessing Sun just didn't > release it with the rest of the code. > Due to the licensing restriction of CDE, sun never released the source for that. They were moving toward gnome at the time I think. > Not that it really matters. I'm just asking for the sake of trivia and > posterity. However, I would like to motivate myself enough to take on > writing one or two replacements for some of the cooler tools from > Sun's CDE. However, lately I've been just stuck doing MOTIF tutorials > on my SGI IRIX systems under Indigo Magic / 4DWM. It might not be CDE, > but it's a kissing cousin in my opinion. > Well, we could use a new dtmail, and dtappbuilder needs love, and... :) > I also wanted to congratulate you and the team on the new release. > Thanks! -jon > -S > > > ___ > cdesktopenv-devel mailing list > cdesktopenv-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/cdesktopenv-devel -- Jon Trulson "Entropy. It isn't what it used to be." -- Sheldon ___ cdesktopenv-devel mailing list cdesktopenv-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/cdesktopenv-devel
Re: [cdesktopenv-devel] CDE 2.3.2 has been released
Jon this whole situation with Solaris having it's own code base which goes back to 1.x. I'm curious if that is why there are a lot of tools and utils (mostly ones starting with "sd") which aren't part of the open source version? Ie.. they must have made those tools specifically for their version of CDE and thus they never saw the "light of day" since Solaris never open sourced their CDE. Also, what was the deal back in the OpenSolaris days before Oracle killed it? Did that codebase have CDE? I also wonder about Illumos. Do they still have a CDE codebase, too? I'm guessing Sun just didn't release it with the rest of the code. Not that it really matters. I'm just asking for the sake of trivia and posterity. However, I would like to motivate myself enough to take on writing one or two replacements for some of the cooler tools from Sun's CDE. However, lately I've been just stuck doing MOTIF tutorials on my SGI IRIX systems under Indigo Magic / 4DWM. It might not be CDE, but it's a kissing cousin in my opinion. I also wanted to congratulate you and the team on the new release. -S ___ cdesktopenv-devel mailing list cdesktopenv-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/cdesktopenv-devel
Re: [cdesktopenv-devel] CDE 2.3.2 has been released
I vote in favor of retiring dtmail. On Wednesday, January 15, 2020, Jon Trulson wrote: > On 1/15/20 5:41 PM, Richard L. Hamilton wrote: > > I think I once compiled a non-recent version of open-source CDE for Solaris > 11 (SPARC), and it mostly worked, although dtmail was definitely unusable. > > > dtmail is useless. So much work would need to go into it ,to bring it up > to modern standards, and I don't see anyone stepping up to do it. > > I would like to 'retire' it. > > dtappbuilder is another one that seemed cool at the time, but who uses > it? Who *would* use it today if it worked well? > > That's another one I'd like to 'retire'. > > -- > Jon Trulson > > "Entropy. It isn't what it used to be." >-- Sheldon > > ___ cdesktopenv-devel mailing list cdesktopenv-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/cdesktopenv-devel
Re: [cdesktopenv-devel] CDE 2.3.2 has been released
On 1/15/20 5:41 PM, Richard L. Hamilton wrote: > I think I once compiled a non-recent version of open-source CDE for Solaris > 11 (SPARC), and it mostly worked, although dtmail was definitely unusable. dtmail is useless. So much work would need to go into it ,to bring it up to modern standards, and I don't see anyone stepping up to do it. I would like to 'retire' it. dtappbuilder is another one that seemed cool at the time, but who uses it? Who */would/* use it today if it worked well? That's another one I'd like to 'retire'. -- Jon Trulson "Entropy. It isn't what it used to be." -- Sheldon ___ cdesktopenv-devel mailing list cdesktopenv-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/cdesktopenv-devel
Re: [cdesktopenv-devel] CDE 2.3.2 has been released
Now that we have a contact with CERT, could we ask them if VU#179804 and CA-1999-08 from the wiki still apply to our code? Thank you for your time, -Chase ‐‐‐ Original Message ‐‐‐ On Wednesday, January 15, 2020 4:11 PM, Jon Trulson wrote: > On 1/15/20 3:04 PM, Swift Griggs wrote: > >> Jon this whole situation with Solaris having it's own code base which goes >> back to 1.x. I'm curious if that is why there are a lot of tools and utils >> (mostly ones starting with "sd") which aren't part of the open source >> version? > > Yes - Sun used the 1.x base, and made many modifucations and added several of > their own home-grown tools. > >> Ie.. they must have made those tools specifically for their version of CDE >> and thus they never saw the "light of day" since Solaris never open sourced >> their CDE. > > Correct. > >> Also, what was the deal back in the OpenSolaris days before Oracle killed >> it? Did that codebase have CDE? I also wonder about Illumos. Do they still >> have a CDE codebase, too? I'm guessing Sun just didn't release it with the >> rest of the code. > > Due to the licensing restriction of CDE, sun never released the source for > that. They were moving toward gnome at the time I think. > >> Not that it really matters. I'm just asking for the sake of trivia and >> posterity. However, I would like to motivate myself enough to take on >> writing one or two replacements for some of the cooler tools from Sun's CDE. >> However, lately I've been just stuck doing MOTIF tutorials on my SGI IRIX >> systems under Indigo Magic / 4DWM. It might not be CDE, but it's a kissing >> cousin in my opinion. > > Well, we could use a new dtmail, and dtappbuilder needs love, and... :) > >> I also wanted to congratulate you and the team on the new release. > > Thanks! > > -jon > >> -S >> >> ___ >> cdesktopenv-devel mailing list >> cdesktopenv-devel@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/cdesktopenv-devel > > -- > Jon Trulson > > "Entropy. It isn't what it used to be." >-- Sheldon___ cdesktopenv-devel mailing list cdesktopenv-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/cdesktopenv-devel
Re: [cdesktopenv-devel] CDE 2.3.2 has been released
> > Also, what was the deal back in the OpenSolaris days before Oracle killed it? > Did that codebase have CDE? I also wonder about Illumos. Do they still have a > CDE codebase, too? I'm guessing Sun just didn't release it with the rest of > the code. Sun didn't have the rights to release CDE at that time, so presumably didn't see the point in releasing their related code. Some things like the graphical workspace manager, seem to have been either licensed from or inspired by other CDE variants (Triteal is the one that particularly resembles, if memory serves). During the Solaris 10 to Solaris 11 days including OpenSolaris, there were releases called Solaris SXCE that still had CDE in them but had the evolving Solaris 11 environment underneath; the components unique to those were not open-sourced, and I think the license was limited to non-production use and perhaps to a limited timespan, although nothing actually enforced that (I think I have an x86 SXCE VM image still, and it works passably well last I tried; I may also have some of the opencsw stuff on there, which is still updatable, although the OS itself is not). I think I once compiled a non-recent version of open-source CDE for Solaris 11 (SPARC), and it mostly worked, although dtmail was definitely unusable. ___ cdesktopenv-devel mailing list cdesktopenv-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/cdesktopenv-devel
Re: [cdesktopenv-devel] CDE 2.3.2 has been released
I'm probably the only one that would actually use it. Building Motif apps from scratch is a tedious process. On Wed, 15 Jan 2020 at 20:34, Christopher Turkel < turkel.christop...@gmail.com> wrote: > I vote in favor of retiring dtmail. > > On Wednesday, January 15, 2020, Jon Trulson wrote: > >> On 1/15/20 5:41 PM, Richard L. Hamilton wrote: >> >> I think I once compiled a non-recent version of open-source CDE for Solaris >> 11 (SPARC), and it mostly worked, although dtmail was definitely unusable. >> >> >> dtmail is useless. So much work would need to go into it ,to bring it up >> to modern standards, and I don't see anyone stepping up to do it. >> >> I would like to 'retire' it. >> >> dtappbuilder is another one that seemed cool at the time, but who uses >> it? Who *would* use it today if it worked well? >> >> That's another one I'd like to 'retire'. >> >> -- >> Jon Trulson >> >> "Entropy. It isn't what it used to be." >>-- Sheldon >> >> ___ > cdesktopenv-devel mailing list > cdesktopenv-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/cdesktopenv-devel > -- Tony Belanger 343.370.9303 https://www.linkedin.com/in/tony-belanger-5437b152/ ___ cdesktopenv-devel mailing list cdesktopenv-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/cdesktopenv-devel