On Tue, Aug 10, 1999 at 04:48:20PM +0930, [EMAIL PROTECTED] wrote:
> On 9 Aug, Joel Eriksson wrote:
> <snip>
> >
> > If one of the following files does not exist and sdtcm_convert is SUID you
> > are probably vulnerable (I say probably since I haven't tested exploiting
> > the bug):
> >
> > /usr/spool/calendar/.lock.convert.<hostname>
> > /usr/spool/calendar/.lock.<hostname>
> >
> > They are opened with O_WRONLY|O_CREAT and mode 0660, EUID = 0. This means
> > that a symbolic link from them to anywhere would either create or overwrite
> > the destination file when sdtcm_convert is run, the file would be owned by
> > root, but by YOUR group. Since it is also writeable by group (0660) the
> > user exploiting this vulnerability also have write access to the file..
> >
> > It does not take much imagination to gain root with this..
>
> I'm not sure whether I'm on a standard 2.6 system or not (I believe so),
> but sdtcm_convert is both SUID and SGID (root, daemon). Therefore any
> files created are owned by root, with a group of daemon. If the binary
> is SUID only, then I believe you are correct.
On the system I'm on, the binary is SUID only and the /usr/spool/calendar
is SGID daemon (since the calendar file should be owned by the daemon group).
> Tim.
--
Joel Eriksson [EMAIL PROTECTED]
