unixware.pkg.exploits.txt

Greetings, OVERVIEW Most of UnixWare's pkg commands can be exploited to print /etc/shadow, leading to a probable root compromise. BACKGROUND Only tested on UnixWare 7.1. DETAILS The permissions for the UnixWare pkg commands are as follows: bash-2.02$ ls -la /usr/sbin/pkgchk /usr/bin/pkginfo...

CVE-1999-0988

UnixWare pkgtrans allows local users to read arbitrary files via a symlink attack...

unixware.chown.txt

Greetings, OVERVIEW Any user can change the owner of any file he or she owns. BACKGROUND All my testing was done on UnixWare 7.1, however chances are excellent that this problem exists for all versions of UnixWare. DETAILS This hole is, erm, different. Apparently any user can change the ownership...

PT-1999-1508 · Unixware · Unixware

Name of the Vulnerable Software and Affected Versions: UnixWare affected versions not specified Description: The issue allows local users to read arbitrary files via a symlink attack. Recommendations: At the moment, there is no information about a newer version that contains a fix for this...

unixware.auto.txt

Greetings, OVERVIEW Although UnixWare's /usr/X/bin/xauto is NOT suid/sgid, we can still overf= low a buffer within it and gain root privileges. BACKGROUND Only tested UnixWare 7.1, all other UnixWares should be assumed vulnerabl= e. DETAILS xauto is mode 755, root/sys and yet we can still use a...

CVE-1999-0866

Buffer overflow in UnixWare xauto program allows local users to gain root privilege...

CVE-1999-0825

The default permissions for UnixWare /var/mail allow local users to read and modify other users' mail...

CVE-1999-0864

UnixWare programs that dump core allow a local user to modify files via a symlink attack on the ./core.pid file...

SCO Unixware 7.07.0.17.17.1.1 - coredump Symlink

SCO Unixware 7.07.0.17.17.1.1 - coredump Symlink source: https://www.securityfocus.com/bid/851/info Under certain versions of SCO UnixWare if a user can force a program with SGID Set Group ID to dump core they may launch a symlink attack by guessing the PID Process ID of the SGID process which th...

SCO Unixware 7.1 - pkg Local Privilege Escalation

SCO Unixware 7.1 - pkg Local Privilege Escalation source: https://www.securityfocus.com/bid/850/info Certain versions of SCO's Unixware only version 7.1 was tested ship with a series of package install/removal utilities which due to design issues under the SCO UnixWare operating system may read a...

SCO Unixware 7.1 - varmail Permissions

SCO Unixware 7.1 - varmail Permissions source: https://www.securityfocus.com/bid/849/info Certain versions of SCO's UnixWare only 7.1 was tested ship with the /var/mail/ directory with permission 777-rwxrwxrwx . This in effect allows malicious users to read incoming mail for users who do not yet...

SCO Unixware 7.0/7.0.1/7.1/7.1.1 - 'xauto' Local Buffer Overflow

// source: https://www.securityfocus.com/bid/848/info Certain versions of SCO's UnixWare ship with a version of /usr/X/bin/xauto which is vulnerable to a buffer overflow attack which may result in an attacker gaining root privileges. This is exploitable to gain root privileges even though...

SCO Unixware 7.1 - '/var/mail' Permissions

source: https://www.securityfocus.com/bid/849/info Certain versions of SCO's UnixWare only 7.1 was tested ship with the /var/mail/ directory with permission 777-rwxrwxrwx . This in effect allows malicious users to read incoming mail for users who do not yet have a mail file /var/mail/username...

SCO Unixware 7.1 - 'pkg' Local Privilege Escalation

source: https://www.securityfocus.com/bid/850/info Certain versions of SCO's Unixware only version 7.1 was tested ship with a series of package install/removal utilities which due to design issues under the SCO UnixWare operating system may read any file on the system regardless of their permissi...

SCO Unixware 7.07.0.17.17.1.1 - xauto Local Buffer Overflow

SCO Unixware 7.07.0.17.17.1.1 - xauto Local Buffer Overflow // source: https://www.securityfocus.com/bid/848/info Certain versions of SCO's UnixWare ship with a version of /usr/X/bin/xauto which is vulnerable to a buffer overflow attack which may result in an attacker gaining root privileges. Thi...

SCO Unixware 7.0/7.0.1/7.1/7.1.1 - 'coredump' Symlink

source: https://www.securityfocus.com/bid/851/info Under certain versions of SCO UnixWare if a user can force a program with SGID Set Group ID to dump core they may launch a symlink attack by guessing the PID Process ID of the SGID process which they are calling. This is required because the...

CVE-1999-0828

UnixWare pkg commands such as pkginfo, pkgcat, and pkgparam allow local users to read arbitrary files via the dacread permission...

unixware7.gethostbyname.txt

Greetings, OVERVIEW A serious bug exists in UnixWare 7.1's libc. A buffer overflow in gethostbyname will allow any user to obtain elevated privileges. BACKGROUND Is this the same gethostbyname overflow which was present in ancient versions of non-unixware libc's way back when? I can't say for sur...

unixware7.uidadmin.txt

Greetings, OVERVIEW SCO UnixWare 7.1's sgid-sys /usr/bin/uidadmin will allow any user to gain root privileges as a result of it's ability to write ANY file, not just those traditionally writable by gid-sys. BACKGROUND All of my testing was done on UnixWare 7.1, no other versions have been tested...

unixware.su.txt

-----Original Message----- Date: Fri, 26 Nov 1999 04:16:41 +0300 MSK From: Matt Conover To: [email protected] cc: [email protected] Subject: w00giving '99 5 and w00news: UnixWare 7's su Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII w00w00 Security Developmen...