Bugtraq mailing list archives
OSF & SCO potential security problems
From: dbock () pacstar com au (Darren Bock)
Date: Mon, 12 Dec 94 10:04:05 EST
While this is old news to anyone that has been around the traps for a while it was interesting to see that DEC OSF V3.0 has repeated the mistakes of people like SCO by creating files that contain security information that are not owned by root.... Under OSF V3.0 there can be a small trap with the C2 security if you also use NFS 'Lionel Provost' (on the alpha-osf-managers () ornl gov list) said :
But , if you have the C2 Security installed you could always modify /etc/passwd, it doesn't work because /etc/passwd is in yhis case a mirror of a database which is in /tcb/files/auth...
This supposed security setup is a bit like what SCO did when they started using (in)secureware. The one minor problem with the method used to implement this idea is that root no longer owns these files. If you are silly enough (or by mistake) to allow your "/" filesystem to be NFS exported it is fairly trivial for anyone to give themselves root privs on your system (in this C2 setup). I have seen people with SCO systems allow unrestricted NFS export on all their filesystems (including / and /usr). One particular person went on holidays and forgot his root password, I used this particular trick as an easy way to reset the root password, it took 3 minutes all up (quicker than a reboot off floppy) # ls -ld /tcb 8 drwxr-xr-x 5 root system 8192 Aug 10 02:28 /tcb # ls -ld /tcb/files 8 drwxrwx--x 3 bin auth 8192 Aug 10 02:29 /tcb/files # ls -ld /tcb/files/auth 8 drwxrwx--- 28 auth auth 8192 Oct 14 06:48 /tcb/files/auth # ls -ld /tcb/files/auth/r 8 drwxrwx--- 2 auth auth 8192 Oct 14 07:00 /tcb/files/auth/r # ls -l /tcb/files/auth/r/root 1 -rw-rw---- 1 auth auth 627 Aug 9 13:33 /tcb/files/auth/r/root Essentially you could : - replace the entire auth subdirectory with your own (as user "bin") - alter one specific users information (as user "auth") Now just how many other security holes are there that allow you to become the user "bin", or overwrite arbitrary files aside from NFS...... Maybe someone from DEC could shed some light on this design feature (flaw?) and possibly fix it in a future release.... Darren --- dbock () pacstar com au My opinions are my own and I do not speak for the company
Current thread:
- OSF & SCO potential security problems Darren Bock (Dec 12)
- Re: OSF & SCO potential security problems Charlie Watt (Dec 21)