Greetings,
I hope some of you have been following my UnixWare posts on Bugtraq because this development will be mostly based on that.
Basically, UnixWare programs gain privileges not only from being suid/sgid, but also from /etc/security/tcb/privs. Some of the additional privileges gained might be the ability to setuid() at will or read/write to any file on the system regardless of permissions.
The major problem is that UnixWare still allows you to own one of these privileged processes, inasmuch as you can still truss(1) them. Since you can truss them, I would assume have complete control over the process. Since I'm not exactly Mr. procfs, I was wondering if there is a way to be able to launch one of these privileged programs and hijack the process, making it open(), setuid() or something else.
When I asked horizon about this, he mentioned that I might want to try using the old LD_PRELOAD trick instead. However, UnixWare doesn't seem to support this. Maybe there is another, simpler way to cause the privileged program to do something silly.
Any ideas?
Brock Tellier
UNIX Systems Administrator
Chicago, IL, USA
btellier_at_usa.net
Received on Dec 06 1999
Intro
