Re: sdtcm_convert

[jen () ETTNET SE (Joel Eriksson)]

On Tue, Aug 10, 1999 at 04:48:20PM +0930, Tim.Wundke () camtech com au wrote:
> On  9 Aug, Joel Eriksson wrote:
> <snip>
> > If one of the following files does not exist and sdtcm_convert is SUID you
> > are probably vulnerable (I say probably since I haven't tested exploiting
> > the bug):
> >
> >   /usr/spool/calendar/.lock.convert.<hostname>
> >   /usr/spool/calendar/.lock.<hostname>
> >
> > They are opened with O_WRONLY|O_CREAT and mode 0660, EUID = 0. This means
> > that a symbolic link from them to anywhere would either create or overwrite
> > the destination file when sdtcm_convert is run, the file would be owned by
> > root, but by YOUR group. Since it is also writeable by group (0660) the
> > user exploiting this vulnerability also have write access to the file..
> >
> > It does not take much imagination to gain root with this..
>
> I'm not sure whether I'm on a standard 2.6 system or not (I believe so),
> but sdtcm_convert is both SUID and SGID (root, daemon).  Therefore any
> files created are owned by root, with a group of daemon.  If the binary
> is SUID only, then I believe you are correct.

On the system I'm on, the binary is SUID only and the /usr/spool/calendar
is SGID daemon (since the calendar file should be owned by the daemon group).

> Tim.

--
Joel Eriksson                                                jen () ettnet se