From: mpd@netcom.com (Mike Duvos)
To: cypherpunks@toad.com
Message Hash: 06bbc0173fb11238af481c1d0404eb6c6ce13b62ee49c9aaddd8732a69eee6b0
Message ID: <199702221736.JAA10536@netcom14.netcom.com>
Reply To: <Pine.GSO.3.95.970222170729.18883B-100000@sundy.cs.pub.ro>
UTC Datetime: 1997-02-22 17:36:14 UTC
Raw Date: Sat, 22 Feb 1997 09:36:14 -0800 (PST)
From: mpd@netcom.com (Mike Duvos)
Date: Sat, 22 Feb 1997 09:36:14 -0800 (PST)
To: cypherpunks@toad.com
Subject: Re: Security hole in Solaris 2.5 (sdtcm_convert) + exploit
In-Reply-To: <Pine.GSO.3.95.970222170729.18883B-100000@sundy.cs.pub.ro>
Message-ID: <199702221736.JAA10536@netcom14.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain
Someone in Romania writes:
> Another hole in Solaris
Horrors no!
> The exploit is very simple. Change the permision mode of your calendar
> file (callog.YOU) from /var/spool/calendar directory (usual r--rw----) and run
> sdtcm_convert. sdtcm_convert 'll observe the change and 'll want to
> correct it (it 'll ask you first). You have only to delete the callog file
> and make a symbolic link to a target file and your calendar file and said to
> sdtcm_convert 'y' (yes). sdtcm_convert 'll make you the owner of target
> file ...
Where would Unix be without symbolic links and race conditions?
This is cute, in that rather than having to mung a symbolic link on
the fly, the program conveniently asks for user input with suid set,
and then pauses while you set the trap.
Good work.
--
Mike Duvos $ PGP 2.6 Public Key available $
mpd@netcom.com $ via Finger. $
Return to February 1997
Return to “mpd@netcom.com (Mike Duvos)”