Bugtraq mailing list archives
Re: sdtcm_convert
From: jen () ETTNET SE (Joel Eriksson)
Date: Tue, 10 Aug 1999 09:34:31 +0200
On Tue, Aug 10, 1999 at 04:48:20PM +0930, Tim.Wundke () camtech com au wrote:
On 9 Aug, Joel Eriksson wrote: <snip>If one of the following files does not exist and sdtcm_convert is SUID you are probably vulnerable (I say probably since I haven't tested exploiting the bug): /usr/spool/calendar/.lock.convert.<hostname> /usr/spool/calendar/.lock.<hostname> They are opened with O_WRONLY|O_CREAT and mode 0660, EUID = 0. This means that a symbolic link from them to anywhere would either create or overwrite the destination file when sdtcm_convert is run, the file would be owned by root, but by YOUR group. Since it is also writeable by group (0660) the user exploiting this vulnerability also have write access to the file.. It does not take much imagination to gain root with this..I'm not sure whether I'm on a standard 2.6 system or not (I believe so), but sdtcm_convert is both SUID and SGID (root, daemon). Therefore any files created are owned by root, with a group of daemon. If the binary is SUID only, then I believe you are correct.
On the system I'm on, the binary is SUID only and the /usr/spool/calendar is SGID daemon (since the calendar file should be owned by the daemon group).
Tim.
-- Joel Eriksson jen () ettnet se
Current thread:
- Re: sdtcm_convert Joel Eriksson (Aug 10)