[11338] in bugtraq
Re: sdtcm_convert
daemon@ATHENA.MIT.EDU (Joel Eriksson)
Tue Aug 10 21:08:26 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <19990810093431.A381@hades.chaoz.org>
Date: Tue, 10 Aug 1999 09:34:31 +0200
Reply-To: Joel Eriksson <jen@ETTNET.SE>
From: Joel Eriksson <jen@ETTNET.SE>
X-To: Tim.Wundke@camtech.com.au
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <199908100720.QAA29531@slingshot.ct>; from
Tim.Wundke@camtech.com.au on Tue, Aug 10, 1999 at 04:48:20PM +0930
On Tue, Aug 10, 1999 at 04:48:20PM +0930, Tim.Wundke@camtech.com.au wrote:
> On 9 Aug, Joel Eriksson wrote:
> <snip>
> >
> > If one of the following files does not exist and sdtcm_convert is SUID you
> > are probably vulnerable (I say probably since I haven't tested exploiting
> > the bug):
> >
> > /usr/spool/calendar/.lock.convert.<hostname>
> > /usr/spool/calendar/.lock.<hostname>
> >
> > They are opened with O_WRONLY|O_CREAT and mode 0660, EUID = 0. This means
> > that a symbolic link from them to anywhere would either create or overwrite
> > the destination file when sdtcm_convert is run, the file would be owned by
> > root, but by YOUR group. Since it is also writeable by group (0660) the
> > user exploiting this vulnerability also have write access to the file..
> >
> > It does not take much imagination to gain root with this..
>
> I'm not sure whether I'm on a standard 2.6 system or not (I believe so),
> but sdtcm_convert is both SUID and SGID (root, daemon). Therefore any
> files created are owned by root, with a group of daemon. If the binary
> is SUID only, then I believe you are correct.
On the system I'm on, the binary is SUID only and the /usr/spool/calendar
is SGID daemon (since the calendar file should be owned by the daemon group).
> Tim.
--
Joel Eriksson jen@ettnet.se
