Vulnerability Development mailing list archives
Re: Owning privileged processes under UnixWare
From: BlueBoar () THIEVCO COM (Blue Boar)
Date: Tue, 7 Dec 1999 00:09:27 -0800
Basically, UnixWare programs gain privileges not only from being suid/sgid, but also from /etc/security/tcb/privs. Some of the additional privileges gained might be the ability to setuid() at will or read/write to any file on the system regardless of permissions.
FYI, Lucent (nee AT&T products division) uses Unixware as a basis for it's switch adjunct products, such as the Conversant (IVR) and Intuity (voicemail), at least in the more recent versions. Lucent has made some extraordinarily bad choices for their stock installs with respect to the tcb stuff. On several pieces of Lucent equipment, I found accounts with no password that were permitted to run passwd as root under the tcb setup. It took me 20 minutes (not being familiar with Unixware) to realize that the TCB config stuff I was looking at was there to *enable* privilege use, not *prevent* it. I couldn't believe that type of thing would exist. Of course, the config files (on my Lucent system) were all world-readable, so anyone could determine who could run what. I plan to rip Lucent a new one with a full report later on, but I thought I'd bring up this piece since you mentioned it. Get this: I used the above hole to change root's password (which you're not really supposed to have) 3 times. Everytime Lucent came back in, they'd change it to something else. They didn't say a word to us. Next time, I'll change the motd to "3y3 0wn u!" and see if they say anything. Lucent doesn't give you root on your own box, and if you were to try sometime as stupid as applying security patches, they would void your support contract. (They threatened to void mine over putting in a symlink.) BB P.S. But at least I'm not bitter. :)
Current thread:
- Idiocy "exploit" Roy Wilson (Dec 01)
- Re: Idiocy "exploit" Blue Boar (Dec 01)
- Re: Idiocy "exploit" Joel Eriksson (Dec 03)
- Owning privileged processes under UnixWare Tellier, Brock (Dec 06)
- Re: Owning privileged processes under UnixWare Elias Levy (Dec 06)
- Re: Owning privileged processes under UnixWare Blue Boar (Dec 07)
- rpcclient 2.0.5a crashed services.exe Blue Boar (Dec 13)
- Wireless LANs ? Sebastian Andersson (Dec 14)
- [Fwd: rpcclient 2.0.5a crashed services.exe] Blue Boar (Dec 15)
- BSD chfn bug Pavol Luptak (Dec 20)
- Re: BSD chfn bug Przemyslaw Frasunek (Dec 21)
- Re: BSD chfn bug Warner Losh (Dec 21)
- Re: BSD chfn bug Tellier, Brock (Dec 23)
- Re: BSD chfn bug Stanislav N. Vardomskiy (Dec 25)
- Re: BSD chfn bug Michal Zalewski (Jul 21)
- ssh quirks... Scott D. Yelich (Dec 26)
- Re: Idiocy "exploit" Blue Boar (Dec 01)