[jen () ettnet se: sdtcm_convert]

[jen () ETTNET SE (Joel Eriksson)]

Ehrm, I was really tired when I wrote the first message, ok..? :-)

I did not only forgot to mention that the system was Solaris 2.6,
but also made a small error.. The bug may be used to _create_ files
that is owned by root, but writeable by your group, but not to
overwrite any existing ones.

----- Forwarded message from Joel Eriksson <jen () ettnet se> -----

Date: Mon, 9 Aug 1999 01:04:51 +0200
From: Joel Eriksson <jen () ettnet se>
To: BUGTRAQ () SECURITYFOCUS COM
Subject: sdtcm_convert
X-Mailer: Mutt 0.95.4i
X-PGP-Key: http://www.ettnet.se/~jen/pgpkeys/pubkey5.asc
X-PGP-ID: 1024/0x8A15DE20 1999-04-07 Joel Eriksson <jen () ettnet se>
X-PGP-Fingerprint: F715 687D 6B1C 0726 B9F4  EF26 BF82 C749 8A15 DE20
X-Phone: +46-704-428007

Hello Bugtraq readers.

There have been security holes in sdtcm_convert before, as with most CDE
programs it seem. Studying some truss-output I think I found yet another
one.

If one of the following files does not exist and sdtcm_convert is SUID you
are probably vulnerable (I say probably since I haven't tested exploiting
the bug):

  /usr/spool/calendar/.lock.convert.<hostname>
  /usr/spool/calendar/.lock.<hostname>

They are opened with O_WRONLY|O_CREAT and mode 0660, EUID = 0. This means
that a symbolic link from them to anywhere would either create or overwrite
the destination file when sdtcm_convert is run, the file would be owned by
root, but by YOUR group. Since it is also writeable by group (0660) the
user exploiting this vulnerability also have write access to the file..

It does not take much imagination to gain root with this..

--
Joel Eriksson                                              jen () ettnet se
Security Consultant

----- End forwarded message -----

--
Mvh Joel Eriksson