OpenServer 5.0.7 OpenServer 5.0.6 OpenServer 5.0.5 : SCO Internet Manager - local users can gain root level privileges.

To: [email protected] [email protected] [email protected]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                    SCO Security Advisory

Subject: OpenServer 5.0.7 OpenServer 5.0.6 OpenServer 5.0.5 : SCO Internet
Manager - local users can gain root level privileges.
Advisory number: CSSA-2003-SCO.19
Issue date: 2003 September 10
Cross reference: sr883947 fz528244 erg712420

1. Problem Description

     The SCO Internet Manager (mana) is designed to be run via
     the ncsa_httpd on port 615 and it is password protected.
   
     Running /usr/internet/admin/mana/mana locally is however
     possible. 
     
     By exporting the environment variable REMOTE_ADDR
     and setting it to 127.0.0.1 mana is tricked to execute the
     file menu.mana as if it was run via the nsca_httpd password
     protected area. 
     
     An other interesting environment variable is PATH_INFO 
     which tells mana what .mana file should be run. 
     
     This tells us that mana will execute "hostname" when 
     this file is run. By changing the environment
     variables PATH_INFO to /pass-err.mana and PATH to ./:$PATH
     would make mana execute ./hostname with root privileges.
   

2. Vulnerable Supported Versions

    System                          Binaries
    ----------------------------------------------------------------------
    OpenServer 5.0.5 - 5.0.7        /mana/mana
                                    /mana/doc/menu.mana
                                    /mana/doc/initdone.mana
                                    /mana/doc/passerr.mana
                                    /mana/manahttp
   

3. Solution

    The proper solution is to install the latest packages.
   

4. OpenServer 5.0.7, OpenServer 5.0.6, and OpenServer 5.0.5

    4.1 Location of Fixed Binaries
   
    ftp://ftp.sco.com/pub/updates/OpenServer/CSSA-2003-SCO.19
   
   
    4.2 Verification
   
    MD5 (VOL.000.000) = 37b55df2c9000c703a22baafbe9cef42
   
    md5 is available for download from
            ftp://ftp.sco.com/pub/security/tools
   
   
    4.3 Installing Fixed Binaries
   
    Upgrade the affected binaries with the following sequence:
   
    1) Download the VOL* files to the /tmp directory
   
    2) Run the custom command, specify an install from media
    images, and specify the /tmp directory as the location of
    the images.
   

5. References

    Specific references for this advisory:
            http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0742 
            http://www.texonet.com/advisories/TEXONET-20030902.txt
   
    SCO security resources:
            http://www.sco.com/support/security/index.html
   
    This security fix closes SCO incidents sr883947 fz528244
    erg712420.
   

6. Disclaimer

    SCO is not responsible for the misuse of any of the information
    we provide on this website and/or through our security
    advisories. Our advisories are a service to our customers
    intended to promote secure installation and use of SCO
    products.
   

7. Acknowledgments

    SCO would like to thank Texonet. Texonet is a Swedish based
    security company with a focus on penetration testing /
    security assessments, research and development.
   

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux)

iD8DBQE/ZXLGaqoBO7ipriERAsQnAJ0XHFi5iDf+m3FEXkrfXeg4FJpSogCfc/8o
j07hHDy47bTVZ6Mg7AjZGNU=
=uxcz
-----END PGP SIGNATURE-----