[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security hole in Solaris 2.5 (sdtcm_convert) + exploit

To: [email protected]
Subject: Re: Security hole in Solaris 2.5 (sdtcm_convert) + exploit
From: [email protected] (Mike Duvos)
Date: Sat, 22 Feb 1997 09:36:11 -0800 (PST)
In-Reply-To: <[email protected]> from "Cristian SCHIPOR" at Feb 22, 97 05:08:41 pm
Sender: [email protected]

Someone in Romania writes:

> Another hole in Solaris

Horrors no!  

> The exploit is very simple. Change the permision mode of your calendar
> file (callog.YOU) from /var/spool/calendar directory (usual r--rw----) and run
> sdtcm_convert. sdtcm_convert 'll observe the change and 'll want  to
> correct it (it 'll ask you first). You have only to delete the callog file
> and make a symbolic link to a target file and your calendar file and said to
> sdtcm_convert 'y' (yes). sdtcm_convert 'll make you the owner of target
> file ...  

Where would Unix be without symbolic links and race conditions?  

This is cute, in that rather than having to mung a symbolic link on
the fly, the program conveniently asks for user input with suid set,
and then pauses while you set the trap.  

Good work. 

--
     Mike Duvos         $    PGP 2.6 Public Key available     $
     [email protected]     $    via Finger.                      $

Follow-Ups:
- Re: Security hole in Solaris 2.5 (sdtcm_convert) + exploit
  - From: Bill Stewart <[email protected]>

References:
- Security hole in Solaris 2.5 (sdtcm_convert) + exploit
  - From: Cristian SCHIPOR <[email protected]>

Prev by Date: Re: DES Crack Hype
Next by Date: Re: DES Crack Hype
Prev by thread: Security hole in Solaris 2.5 (sdtcm_convert) + exploit
Next by thread: Re: Security hole in Solaris 2.5 (sdtcm_convert) + exploit
Index(es):
- Date
- Thread