Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Security hole in Solaris 2.5 (sdtcm_convert) + exploit
From: casper () HOLLAND SUN COM (Casper Dik)
Date: Sat, 22 Feb 1997 18:18:28 +0100


Sat Feb 22 15:25:48 EET 1997 Romania

Another hole in Solaris

I have found a security hole in sdtcm_convert on Solaris 2.5.1.
sdtcm_convert - calendar data conversion utility - allows any user to
change the owner for any file (or directory) from the system or gain root
access. The exploit is very simple. Change the permision mode of your calendar
file (callog.YOU) from /var/spool/calendar directory (usual r--rw----) and run
sdtcm_convert. sdtcm_convert 'll observe the change and 'll want  to
correct it (it 'll ask you first). You have only to delete the callog file
and make a symbolic link to a target file and your calendar file and said to
sdtcm_convert 'y' (yes). sdtcm_convert 'll make you the owner of target
file ...
A simple way to correct this is to get out suid_exec bit from
sdtcm_convert


Is this the bug fixed in the Sun patches:

103670-02: CDE 1.0.2: sdtcm_convert has a security vulnerability
103671-02: CDE 1.0.1: sdtcm_convert has a security vulnerability
103717-02: CDE 1.0.2: sdtcm_convert has a security vulnerability (x86 version)
103718-02: CDE 1.0.1: sdtcm_convert has a security vulnerability (x86 version)


or is it a new one?

Casper



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault