Bugtraq mailing list archives
sdtcm_convert
From: jen () ETTNET SE (Joel Eriksson)
Date: Mon, 9 Aug 1999 01:04:51 +0200
Hello Bugtraq readers. There have been security holes in sdtcm_convert before, as with most CDE programs it seem. Studying some truss-output I think I found yet another one. If one of the following files does not exist and sdtcm_convert is SUID you are probably vulnerable (I say probably since I haven't tested exploiting the bug): /usr/spool/calendar/.lock.convert.<hostname> /usr/spool/calendar/.lock.<hostname> They are opened with O_WRONLY|O_CREAT and mode 0660, EUID = 0. This means that a symbolic link from them to anywhere would either create or overwrite the destination file when sdtcm_convert is run, the file would be owned by root, but by YOUR group. Since it is also writeable by group (0660) the user exploiting this vulnerability also have write access to the file.. It does not take much imagination to gain root with this.. -- Joel Eriksson jen () ettnet se Security Consultant
Current thread:
- Cisco 675 password nonsense DeMoNx (Jul 31)
- Re: Cisco 675 password nonsense Brian Elfert (Aug 03)
- Re: Cisco 675 password nonsense Dave Dittrich (Aug 06)
- Microsoft Security Bulletin MS99-027 Microsoft Product Security Response Team (Aug 06)
- Re: Cisco 675 password nonsense Brian Elfert (Aug 06)
- Microsoft Security Bulletin (MS99-027) Aleph One (Aug 06)
- Re: Cisco 675 password nonsense Signal 11 (Aug 07)
- Remote DoS of WebTrends Enterprise Reporting Server rpc (Aug 08)
- sdtcm_convert Joel Eriksson (Aug 08)
- NetBSD Security Advisory 1999-011 Ross Harvey (Aug 08)
- MS IE FTP Folder Shell Extension Buffer Overflow s.hird () STUDENT QUT EDU AU (Aug 09)
- [jen () ettnet se: sdtcm_convert] Joel Eriksson (Aug 09)
- Bay Annex-Pri Privacy Issues lumpy (Aug 09)
- Re: Bay Annex-Pri Privacy Issues Eric Vyncke (Aug 10)
- Re: Bay Annex-Pri Privacy Issues Dick St.Peters (Aug 11)
- Re: Cisco 675 password nonsense Dave Dittrich (Aug 06)
- Re: Cisco 675 password nonsense Brian Elfert (Aug 03)
- <Possible follow-ups>
- Re: Cisco 675 password nonsense Francis Bodie (Aug 03)
- Cisco 675 password nonsense jobe smithe (Aug 09)