On Tue, Aug 10, 1999 at 04:48:20PM +0930, Tim.Wundkeat_private wrote: > On 9 Aug, Joel Eriksson wrote: > <snip> > > > > If one of the following files does not exist and sdtcm_convert is SUID you > > are probably vulnerable (I say probably since I haven't tested exploiting > > the bug): > > > > /usr/spool/calendar/.lock.convert.<hostname> > > /usr/spool/calendar/.lock.<hostname> > > > > They are opened with O_WRONLY|O_CREAT and mode 0660, EUID = 0. This means > > that a symbolic link from them to anywhere would either create or overwrite > > the destination file when sdtcm_convert is run, the file would be owned by > > root, but by YOUR group. Since it is also writeable by group (0660) the > > user exploiting this vulnerability also have write access to the file.. > > > > It does not take much imagination to gain root with this.. > > I'm not sure whether I'm on a standard 2.6 system or not (I believe so), > but sdtcm_convert is both SUID and SGID (root, daemon). Therefore any > files created are owned by root, with a group of daemon. If the binary > is SUID only, then I believe you are correct. On the system I'm on, the binary is SUID only and the /usr/spool/calendar is SGID daemon (since the calendar file should be owned by the daemon group). > Tim. -- Joel Eriksson jenat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:55:50 PDT