[UNIX] SCO UnixWare pkgadd Directory Traversal Vulnerability
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 6 Apr 2008 08:10:48 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
SCO UnixWare pkgadd Directory Traversal Vulnerability
------------------------------------------------------------------------
SUMMARY
<http://www.sco.com/products/unixware714/> SCO UnixWare is "a UNIX
operating system that runs on many OEM platforms. The pkgadd command is
used to install packages on the system". Local exploitation of a directory
traversal vulnerability within the pkgadd program distributed with SCO
Group Inc's UnixWare operating system allows attackers to gain root
privileges.
DETAILS
Vulnerable Systems:
* UnixWare version 7.1.4 with all patches available as of August 27th,
2007 installed
By setting an environment variable to a value containing directory
traversal sequences, such as "../", an attacker can cause the program to
create or append to arbitrary files on the system.
Analysis:
Exploitation allows attackers gain root privileges. Access to execute
arbitrary shell commands is required to exploit this issue.
By targeting specific system files, an attacker can add accounts or
otherwise facilitate privilege escalation.
Workaround:
Changing the permissions of the pkgadd command to only allow root to
execute this program will prevent exploitation of this vulnerability.
# chmod 700 /usr/sbin/pkgadd
Vendor response:
SCO has addressed this vulnerability by releasing patches. For more
information, consult their advisory at the following URL.
<http://www.sco.com/support/update/download/release.php?rid=324>
http://www.sco.com/support/update/download/release.php?rid=324
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0310>
CVE-2008-0310
Disclosure timeline:
09/04/2007 - Initial vendor notification
10/30/2007 - Initial vendor response
04/03/2008 - Coordinated public disclosure
ADDITIONAL INFORMATION
The information has been provided by
<mailto:idlabs-advisories@xxxxxxxxxxxx> iDefense Labs Security Advisories.
The original article can be found at:
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=676>
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=676
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [NT] SLMail Pro Multiple Denial of Service
- Next by Date: [NT] LANDesk Management Suite Directory Traversal
- Previous by thread: [NT] SLMail Pro Multiple Denial of Service
- Next by thread: [NT] LANDesk Management Suite Directory Traversal
- Index(es):
Relevant Pages
|
|
