Re: Owning privileged processes under UnixWare

[BlueBoar () THIEVCO COM (Blue Boar)]

> Basically, UnixWare programs gain privileges not only from being suid/sgid, but also
> from /etc/security/tcb/privs.  Some of the additional privileges gained might be the
> ability to setuid() at will or read/write to any file on the system regardless of
> permissions.

FYI, Lucent (nee AT&T products division) uses Unixware as a basis for it's
switch adjunct products, such as the Conversant (IVR) and Intuity
(voicemail), at least in the more recent versions.

Lucent has made some extraordinarily bad choices for their stock installs
with respect to the tcb stuff.  On several pieces of Lucent equipment, I
found accounts with no password that were permitted to run passwd as root
under the tcb setup.

It took me 20 minutes (not being familiar with Unixware) to realize that
the TCB config stuff I was looking at was there to *enable* privilege use,
not *prevent* it.  I couldn't believe that type of thing would exist.  Of
course, the config files (on my Lucent system) were all world-readable, so
anyone could determine who could run what.

I plan to rip Lucent a new one with a full report later on, but I thought
I'd bring up this piece since you mentioned it.

Get this:  I used the above hole to change root's password (which you're
not really supposed to have) 3 times.  Everytime Lucent came back in,
they'd change it to something else.  They didn't say a word to us.  Next
time, I'll change the motd to "3y3 0wn u!" and see if they say anything.
Lucent doesn't give you root on your own box, and if you were to try
sometime as stupid as applying security patches, they would void your
support contract.  (They threatened to void mine over putting in a
symlink.)

                                                        BB

P.S.  But at least I'm not bitter. :)