Security hole in Solaris 2.5 (sdtcm_convert) + exploit
Mike Duvos
mpd at netcom.com
Sat Feb 22 09:36:14 PST 1997
Someone in Romania writes:
> Another hole in Solaris
Horrors no!
> The exploit is very simple. Change the permision mode of your calendar
> file (callog.YOU) from /var/spool/calendar directory (usual r--rw----) and run
> sdtcm_convert. sdtcm_convert 'll observe the change and 'll want to
> correct it (it 'll ask you first). You have only to delete the callog file
> and make a symbolic link to a target file and your calendar file and said to
> sdtcm_convert 'y' (yes). sdtcm_convert 'll make you the owner of target
> file ...
Where would Unix be without symbolic links and race conditions?
This is cute, in that rather than having to mung a symbolic link on
the fly, the program conveniently asks for user input with suid set,
and then pauses while you set the trap.
Good work.
--
Mike Duvos $ PGP 2.6 Public Key available $
mpd at netcom.com $ via Finger. $
More information about the Testlist
mailing list