Re: SCO OpenServer Security Status

[btellier () USA NET (Brock Tellier)]

-snip-
> UnixWare read/modify users' mail (/var/spool/mail)
>       This is also not applicable on OpenServer.  OpenServer's         >equivalent
        
>        is /usr/spool/mail which has 1777 perms (world-writable, but >sticky
>        so only owner can delete files).  The local delivery agent will
>       not deliver to a file not owned by the recipient; will not follow
>       symlinks or write to a file with multiple names (hard links);
>       and is designed to avoid race conditions.

The meat of this exploit is not only that the directory is mode 0777, but
that, by SYSV standards (thanks to Aleph to clearing that up for me), we can
change the owner of any file we own.  Therefore, under OpenServer (SYSV
based), we could still create a file, change the owner and have mail delivered
to that user normally.  I don't know if that OpenServer LDA will deliver to a
file which is world-readable, however.

-snip-

I've marked in the Buffer Overflow list below which ones were known (in the
sense of publicly posted) and which were not.

> In addition to the first two vulnerabilities, we are also putting the
> finishing touches on another large collection of previously reported
> OpenServer vulnerabilities (and vulnerabilities we discovered ourselves)
> which will be available by December 25th.  The current contents include
> (but will not be limited to):
>
>  1. Buffer overflows in:
>
>    /usr/mmdf/chans/smtpsrvr * unknown
>    /etc/killall * unknown
>    /etc/popper * known or newer version of old exploit
>    /usr/bin/mscreen * known or older version of old exploit
>    /usr/bin/rlogin * unknown (same as UnixWare gethostbyname()?)
>    /bin/su * unknown (same as UnixWare exploit?)
>    /usr/lib/sysadm/termsh * unknown, but I remember doing some work on this
program.  I'll re-post if I dig up my files on it.
>    /usr/lib/libX11.so.5.0 * all the X problems known 5 years ago
>    /usr/lib/libXt.so.5.0
>    /usr/lib/libXmu.so.5.0
>    /usr/lib/libXaw.so.5.0
>    /usr/lib/libX11.a
>    /usr/lib/libXt.a
>    /usr/lib/libXmu.a
>    /usr/lib/libXaw.a
>    /usr/bin/X11/xterm * known 
>    /usr/bin/X11/xload * known
>    /usr/bin/X11/scoterm * known
>    /usr/bin/X11/scolock * known
>    /usr/bin/X11/scosession * known
>    /usr/bin/X11/scologin * known
>    /usr/lpd/remote/rlpstat * known
>    /usr/lpd/remote/cancel * known
>    /usr/lpd/remote/lpmove * known

BTW, if any of you Bugtraq people are in serious need of OpenServer exploits
for any of the above, I would be happy to help out.  I'm interested in finding
out what the bug in smtpsrvr is, in particular.

>  2. Algorithmic vulnerabilities in:
>
>    /etc/sysadm.d/bin/userOsa:
>      Can improperly write to privileged files

One of those complicated algorithmic symlink vulnerabilities :) known.

>    /usr/bin/X11/Xsco:
>      Can improperly read privileged files
>      (also buffer overflows)

Unknown, but:

If I recall correctly, I reported this to SCO as a buffer overflow in -query
<hostname> (with a long <hostname>).  If there is an overflow there, I would
suspect that OpenServer has the gethostbyname() overflow that UW7 has.

My memory is just as shady on the "read privileged files" vulnerability.  I
think it was "Xsco -config /etc/shadow" that would print the first line of
/etc/shadow in an error message.

>    /bin/hello:
>      Can improperly acess privileged devices
>      Allows transmission of dangerous characters

Dangerous characters?  Unknown.

>    /bin/write:
>      Allows transmission of dangerous characters

" "  Unknown.

>    /bin/login:
>      Corrupt /etc/dialups causes login failure
>      Insufficient error checking

Unknown.

Thanks to SCO for posting fix information publicly instead of only to
www.sco.com/security and providing actual information about which programs are
vulnerable (even if the information wasn't complete).  I might've hoped for
more timely fixes, but considering the sheer number of holes they had to deal
with, I'm just glad they didn't wait until 5.0.6.

Brock Tellier
UNIX Systems Administrator
Chicago, IL, USA
btellier () usa net

____________________________________________________________________
Get free email and a permanent address at http://www.netaddress.com/?N=1