Hello Bugtraq readers. There have been security holes in sdtcm_convert before, as with most CDE programs it seem. Studying some truss-output I think I found yet another one. If one of the following files does not exist and sdtcm_convert is SUID you are probably vulnerable (I say probably since I haven't tested exploiting the bug): /usr/spool/calendar/.lock.convert.<hostname> /usr/spool/calendar/.lock.<hostname> They are opened with O_WRONLY|O_CREAT and mode 0660, EUID = 0. This means that a symbolic link from them to anywhere would either create or overwrite the destination file when sdtcm_convert is run, the file would be owned by root, but by YOUR group. Since it is also writeable by group (0660) the user exploiting this vulnerability also have write access to the file.. It does not take much imagination to gain root with this.. -- Joel Eriksson jenat_private Security Consultant
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:55:39 PDT