Owning privileged processes under UnixWare

[btellier () USA NET (Tellier, Brock)]

Greetings,

I hope some of you have been following my UnixWare posts on Bugtraq because this development will be mostly based on 
that.

Basically, UnixWare programs gain privileges not only from being suid/sgid, but also from /etc/security/tcb/privs.  
Some of the additional privileges gained might be the ability to setuid() at will or read/write to any file on the 
system regardless of permissions.

The major problem is that UnixWare still allows you to own one of these privileged processes, inasmuch as you can still 
truss(1) them.  Since you can truss them, I would assume have complete control over the process.  Since I'm not exactly 
Mr. procfs, I was wondering if there is a way to be able to launch one of these privileged programs and hijack the 
process, making it open(), setuid() or something else.

When I asked horizon about this, he mentioned that I might want to try using the old LD_PRELOAD trick instead.  
However, UnixWare doesn't seem to support this. Maybe there is another, simpler way to cause the privileged program to 
do something silly.

Any ideas?

Brock Tellier
UNIX Systems Administrator
Chicago, IL, USA
btellier () usa net