[UNIX] SCO UnixWare pkgadd Directory Traversal Vulnerability



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



SCO UnixWare pkgadd Directory Traversal Vulnerability
------------------------------------------------------------------------


SUMMARY

<http://www.sco.com/products/unixware714/> SCO UnixWare is "a UNIX
operating system that runs on many OEM platforms. The pkgadd command is
used to install packages on the system". Local exploitation of a directory
traversal vulnerability within the pkgadd program distributed with SCO
Group Inc's UnixWare operating system allows attackers to gain root
privileges.

DETAILS

Vulnerable Systems:
* UnixWare version 7.1.4 with all patches available as of August 27th,
2007 installed

By setting an environment variable to a value containing directory
traversal sequences, such as "../", an attacker can cause the program to
create or append to arbitrary files on the system.

Analysis:
Exploitation allows attackers gain root privileges. Access to execute
arbitrary shell commands is required to exploit this issue.

By targeting specific system files, an attacker can add accounts or
otherwise facilitate privilege escalation.

Workaround:
Changing the permissions of the pkgadd command to only allow root to
execute this program will prevent exploitation of this vulnerability.

# chmod 700 /usr/sbin/pkgadd

Vendor response:
SCO has addressed this vulnerability by releasing patches. For more
information, consult their advisory at the following URL.
<http://www.sco.com/support/update/download/release.php?rid=324>
http://www.sco.com/support/update/download/release.php?rid=324

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0310>
CVE-2008-0310

Disclosure timeline:
09/04/2007 - Initial vendor notification
10/30/2007 - Initial vendor response
04/03/2008 - Coordinated public disclosure


ADDITIONAL INFORMATION

The information has been provided by
<mailto:idlabs-advisories@xxxxxxxxxxxx> iDefense Labs Security Advisories.
The original article can be found at:
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=676>
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=676



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • [NT] WinPcap NPF.SYS Local Privilege Escalation Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Local exploitation of an input validation vulnerability within the NPF.SYS ... Exploitation allows attackers to execute arbitrary code in kernel context. ... The vulnerable device driver is loaded when WinPcap is initialized. ...
    (Securiteam)
  • [UNIX] Trend Micro VirusWall Buffer Overflow in VSAPI Library
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... buffer overflow vulnerability in VSAPI library allows arbitrary code ... is called "vscan" which is set suid root by default. ... permissions and thus granted all local users the privilege to execute the ...
    (Securiteam)
  • [NT] Qualcomm WorldMail IMAP Server Directory Traversal
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Exploitation of a directory transversal vulnerability in Qualcomm ... WorldMail IMAP Server allows attackers to read any email stored on the ...
    (Securiteam)
  • [UNIX] SCO Multiple Local Buffer Overflow
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Local exploitation of a buffer overflow vulnerability in the ppp binary, ... allows attackers to gain root privileges. ...
    (Securiteam)
  • [NT] Microsoft Word 6.0/95 Document Converter Buffer Overflow (MS04-041)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... WordPad is "a word processing application that uses the MFC rich edit ... Remote exploitation of a buffer overflow vulnerability in Microsoft ... Microsoft Word format files into the Rich Text Format natively handled by ...
    (Securiteam)