-snip- >UnixWare read/modify users' mail (/var/spool/mail) > This is also not applicable on OpenServer. OpenServer's >equivalent > is /usr/spool/mail which has 1777 perms (world-writable, but >sticky > so only owner can delete files). The local delivery agent will > not deliver to a file not owned by the recipient; will not follow > symlinks or write to a file with multiple names (hard links); > and is designed to avoid race conditions. The meat of this exploit is not only that the directory is mode 0777, but that, by SYSV standards (thanks to Aleph to clearing that up for me), we can change the owner of any file we own. Therefore, under OpenServer (SYSV based), we could still create a file, change the owner and have mail delivered to that user normally. I don't know if that OpenServer LDA will deliver to a file which is world-readable, however. -snip- I've marked in the Buffer Overflow list below which ones were known (in the sense of publicly posted) and which were not. >In addition to the first two vulnerabilities, we are also putting the >finishing touches on another large collection of previously reported >OpenServer vulnerabilities (and vulnerabilities we discovered ourselves) >which will be available by December 25th. The current contents include >(but will not be limited to): > > 1. Buffer overflows in: > > /usr/mmdf/chans/smtpsrvr * unknown > /etc/killall * unknown > /etc/popper * known or newer version of old exploit > /usr/bin/mscreen * known or older version of old exploit > /usr/bin/rlogin * unknown (same as UnixWare gethostbyname()?) > /bin/su * unknown (same as UnixWare exploit?) > /usr/lib/sysadm/termsh * unknown, but I remember doing some work on this program. I'll re-post if I dig up my files on it. > /usr/lib/libX11.so.5.0 * all the X problems known 5 years ago > /usr/lib/libXt.so.5.0 > /usr/lib/libXmu.so.5.0 > /usr/lib/libXaw.so.5.0 > /usr/lib/libX11.a > /usr/lib/libXt.a > /usr/lib/libXmu.a > /usr/lib/libXaw.a > /usr/bin/X11/xterm * known > /usr/bin/X11/xload * known > /usr/bin/X11/scoterm * known > /usr/bin/X11/scolock * known > /usr/bin/X11/scosession * known > /usr/bin/X11/scologin * known > /usr/lpd/remote/rlpstat * known > /usr/lpd/remote/cancel * known > /usr/lpd/remote/lpmove * known BTW, if any of you Bugtraq people are in serious need of OpenServer exploits for any of the above, I would be happy to help out. I'm interested in finding out what the bug in smtpsrvr is, in particular. > 2. Algorithmic vulnerabilities in: > > /etc/sysadm.d/bin/userOsa: > Can improperly write to privileged files One of those complicated algorithmic symlink vulnerabilities :) known. > > /usr/bin/X11/Xsco: > Can improperly read privileged files > (also buffer overflows) Unknown, but: If I recall correctly, I reported this to SCO as a buffer overflow in -query <hostname> (with a long <hostname>). If there is an overflow there, I would suspect that OpenServer has the gethostbyname() overflow that UW7 has. My memory is just as shady on the "read privileged files" vulnerability. I think it was "Xsco -config /etc/shadow" that would print the first line of /etc/shadow in an error message. > > /bin/hello: > Can improperly acess privileged devices > Allows transmission of dangerous characters Dangerous characters? Unknown. > > /bin/write: > Allows transmission of dangerous characters " " Unknown. > > /bin/login: > Corrupt /etc/dialups causes login failure > Insufficient error checking Unknown. Thanks to SCO for posting fix information publicly instead of only to www.sco.com/security and providing actual information about which programs are vulnerable (even if the information wasn't complete). I might've hoped for more timely fixes, but considering the sheer number of holes they had to deal with, I'm just glad they didn't wait until 5.0.6. Brock Tellier UNIX Systems Administrator Chicago, IL, USA btellierat_private ____________________________________________________________________ Get free email and a permanent address at http://www.netaddress.com/?N=1
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:22:25 PDT