J-Security Center

Latest Attack Object Updates
  • IDP Daily Update #1545
    posted: 11/19/09
  • NSM Daily Update #1545
    posted: 11/19/09
  • Deep Inspection 5.3r5 and above, 5.4, 6.0 #1545
    posted: 11/19/09
  • Deep Inspection 5.1 and 5.2 #1435
    posted: 11/19/09
  • Deep Inspection 5.0, 5.3r4 and below #1132
    posted: 03/28/08 (04/01/08 for 5.0)
  • Antivirus
    posted: 11/19/09

Title: SCO UnixWare 'uidadmin' Vulnerability

Severity: MODERATE

Description:

Certain versions of SCO Unixware ship with an exploitable version of the /usr/bin/uidadmin program. The problem lies in that 'uidadmin' runs with root privileges and performs insecure writes to a scratch directory (/tmp/ in this instance). A malicious user may overwrite any existing file on the system with their own data provided the files do not already exist, or they may overwrite existing files with a single string.

This symlink attack is not typical due to specific features within the Unixware OS. The following excerpt is from a the discoverer of this bug, Brock Tellier. The message in it's entirety is referenced in the 'Credit' section of this vulnerability entry.

" UnixWare's system privileges are assigned two-fold. First, it has the standard UNIX suid/sgid conventions. Second, it has a list of programs and the additional privileges they gain when run in /etc/security/tcb/privs.

For instance, /usr/bin/ping is *not* suid/sgid but may still perform raw socket operations because it gains the "driver" privilege in the privs file. Even ln, cp, mkdir and so on must have filesystem modification privileges in this file in order to perform their respective functions.

A program which has "allprivs" defined in /etc/security/tcb/privs may perform any operation as though this program was suid-root. If we are able to overflow a buffer, for instance, in one of these allprivs programs, we could run shellcode normally, but only after we've set our uid to 0. Similarly if we overflowed ping, we could do all the socket operations we want, but we could NOT gain root access.

The uidadmin program does not have allprivs defined, so we cannot just cut to the setreuid(0,0) chase and execute our shell. uidadmin does, however, have the dacwrite privilege and can therefore override all of the normal UNIX DAC (Discretionary Access Control) security precautions (including filemode bits).

Because of the way uidadmin opens "uidata.tmp", we can only either create a file with any contents we desire anywhere on the system (as long as it doesn't exist) or overwrite an existing file with our string."

Affected Products:

  • SCO Unixware 7.0.0
  • SCO Unixware 7.0.1
  • SCO Unixware 7.1.0
  • SCO Unixware 7.1.1

References:

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.