Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

OSF & SCO potential security problems

From: dbock () pacstar com au (Darren Bock)
Date: Mon, 12 Dec 94 10:04:05 EST

While this is old news to anyone that has been around the traps for a while
it was interesting to see that DEC OSF V3.0 has repeated the mistakes of
people like SCO by creating files that contain security information that
are not owned by root....

Under OSF V3.0 there can be a small trap with the C2 security if you also use
NFS

'Lionel Provost' (on the alpha-osf-managers () ornl gov list) said :


But , if you have the C2 Security installed you could always
modify /etc/passwd, it doesn't work because /etc/passwd is in
yhis case a mirror of a database which is in /tcb/files/auth...



This supposed security setup is a bit like what SCO did when they started
using (in)secureware. The one minor problem with the method used to implement
this idea is that root no longer owns these files.

If you are silly enough (or by mistake) to allow your "/" filesystem to be NFS
exported it is fairly trivial for anyone to give themselves root privs on your
system (in this C2 setup).

I have seen people with SCO systems allow unrestricted NFS export on all their
filesystems (including / and /usr). One particular person went on holidays and
forgot his root password, I used this particular trick as an easy way to reset
the root password, it took 3 minutes all up (quicker than a reboot off floppy)

# ls -ld /tcb
8 drwxr-xr-x   5 root     system      8192 Aug 10 02:28 /tcb
# ls -ld /tcb/files
8 drwxrwx--x   3 bin      auth        8192 Aug 10 02:29 /tcb/files
# ls -ld /tcb/files/auth
8 drwxrwx---  28 auth     auth        8192 Oct 14 06:48 /tcb/files/auth
# ls -ld /tcb/files/auth/r
8 drwxrwx---   2 auth     auth        8192 Oct 14 07:00 /tcb/files/auth/r
# ls -l /tcb/files/auth/r/root
1 -rw-rw----   1 auth     auth         627 Aug  9 13:33 /tcb/files/auth/r/root

Essentially you could :
   - replace the entire auth subdirectory with your own  (as user "bin")
   - alter one specific users information                (as user "auth")

Now just how many other security holes are there that allow you to become the
user "bin", or overwrite arbitrary files aside from NFS......

Maybe someone from DEC could shed some light on this design feature (flaw?) 
and possibly fix it in a future release....


Darren
---
dbock () pacstar com au
My opinions are my own and I do not speak for the company
Previous By Date Next
Previous By Thread Next

Current thread: