[40] in Best-of-Security
BoS: Re: Security hole in Solaris 2.5 (sdtcm_convert) + exploit
daemon@ATHENA.MIT.EDU (Casper Dik)
Sun Feb 23 02:32:39 1997
Date: Sat, 22 Feb 1997 18:18:28 +0100
Reply-To: Casper Dik <casper@HOLLAND.SUN.COM>
From: Casper Dik <casper@HOLLAND.SUN.COM>
In-Reply-To: Your message of "Sat, 22 Feb 1997 17:07:23 +0200."
<Pine.GSO.3.95.970222170637.18883A-100000@sundy.cs.pub.ro>
Errors-To: best-of-security-request@suburbia.net
To: best-of-security@suburbia.net
Resent-From: best-of-security@suburbia.net
>Sat Feb 22 15:25:48 EET 1997 Romania
>
>Another hole in Solaris
>
>I have found a security hole in sdtcm_convert on Solaris 2.5.1.
>sdtcm_convert - calendar data conversion utility - allows any user to
>change the owner for any file (or directory) from the system or gain root
>access. The exploit is very simple. Change the permision mode of your calendar
>file (callog.YOU) from /var/spool/calendar directory (usual r--rw----) and run
>sdtcm_convert. sdtcm_convert 'll observe the change and 'll want to
>correct it (it 'll ask you first). You have only to delete the callog file
>and make a symbolic link to a target file and your calendar file and said to
>sdtcm_convert 'y' (yes). sdtcm_convert 'll make you the owner of target
>file ...
>A simple way to correct this is to get out suid_exec bit from
>sdtcm_convert
Is this the bug fixed in the Sun patches:
103670-02: CDE 1.0.2: sdtcm_convert has a security vulnerability
103671-02: CDE 1.0.1: sdtcm_convert has a security vulnerability
103717-02: CDE 1.0.2: sdtcm_convert has a security vulnerability (x86 version)
103718-02: CDE 1.0.1: sdtcm_convert has a security vulnerability (x86 version)
or is it a new one?
Casper
