Home page logo

bugtraq logo Bugtraq mailing list archives

Re: SCO OpenServer Security Status
From: btellier () USA NET (Brock Tellier)
Date: Tue, 21 Dec 1999 14:31:36 MST

UnixWare read/modify users' mail (/var/spool/mail)
      This is also not applicable on OpenServer.  OpenServer's         >equivalent
       is /usr/spool/mail which has 1777 perms (world-writable, but >sticky
       so only owner can delete files).  The local delivery agent will
      not deliver to a file not owned by the recipient; will not follow
      symlinks or write to a file with multiple names (hard links);
      and is designed to avoid race conditions.

The meat of this exploit is not only that the directory is mode 0777, but
that, by SYSV standards (thanks to Aleph to clearing that up for me), we can
change the owner of any file we own.  Therefore, under OpenServer (SYSV
based), we could still create a file, change the owner and have mail delivered
to that user normally.  I don't know if that OpenServer LDA will deliver to a
file which is world-readable, however.


I've marked in the Buffer Overflow list below which ones were known (in the
sense of publicly posted) and which were not.

In addition to the first two vulnerabilities, we are also putting the
finishing touches on another large collection of previously reported
OpenServer vulnerabilities (and vulnerabilities we discovered ourselves)
which will be available by December 25th.  The current contents include
(but will not be limited to):

 1. Buffer overflows in:

   /usr/mmdf/chans/smtpsrvr * unknown
   /etc/killall * unknown
   /etc/popper * known or newer version of old exploit
   /usr/bin/mscreen * known or older version of old exploit
   /usr/bin/rlogin * unknown (same as UnixWare gethostbyname()?)
   /bin/su * unknown (same as UnixWare exploit?)
   /usr/lib/sysadm/termsh * unknown, but I remember doing some work on this
program.  I'll re-post if I dig up my files on it.
   /usr/lib/libX11.so.5.0 * all the X problems known 5 years ago
   /usr/bin/X11/xterm * known 
   /usr/bin/X11/xload * known
   /usr/bin/X11/scoterm * known
   /usr/bin/X11/scolock * known
   /usr/bin/X11/scosession * known
   /usr/bin/X11/scologin * known
   /usr/lpd/remote/rlpstat * known
   /usr/lpd/remote/cancel * known
   /usr/lpd/remote/lpmove * known

BTW, if any of you Bugtraq people are in serious need of OpenServer exploits
for any of the above, I would be happy to help out.  I'm interested in finding
out what the bug in smtpsrvr is, in particular.

 2. Algorithmic vulnerabilities in:

     Can improperly write to privileged files

One of those complicated algorithmic symlink vulnerabilities :) known.

     Can improperly read privileged files
     (also buffer overflows)

Unknown, but:

If I recall correctly, I reported this to SCO as a buffer overflow in -query
<hostname> (with a long <hostname>).  If there is an overflow there, I would
suspect that OpenServer has the gethostbyname() overflow that UW7 has.

My memory is just as shady on the "read privileged files" vulnerability.  I
think it was "Xsco -config /etc/shadow" that would print the first line of
/etc/shadow in an error message.

     Can improperly acess privileged devices
     Allows transmission of dangerous characters

Dangerous characters?  Unknown.

     Allows transmission of dangerous characters

" "  Unknown.

     Corrupt /etc/dialups causes login failure
     Insufficient error checking


Thanks to SCO for posting fix information publicly instead of only to
www.sco.com/security and providing actual information about which programs are
vulnerable (even if the information wasn't complete).  I might've hoped for
more timely fixes, but considering the sheer number of holes they had to deal
with, I'm just glad they didn't wait until 5.0.6.

Brock Tellier
UNIX Systems Administrator
Chicago, IL, USA
btellier () usa net

Get free email and a permanent address at http://www.netaddress.com/?N=1

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]