lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <004701c3a933$6cec7d50$af00a8c0@XPlappytoppy>
Date: Wed, 12 Nov 2003 16:41:22 +0100
From: "advisories(-at-)texonet.com" <advisories@...onet.com>
To: <bugtraq@...urityfocus.com>
Subject: Insecure handling of procfs descriptors in UnixWare 7.1.1, 7.1.3 and Open UNIX 8.0.0 can lead to local privilege escalation.


-----------------------------------------------------------------------
Texonet Security Advisory 20031024
-----------------------------------------------------------------------
Advisory ID  : TEXONET-20031024 
Authors      : Joel Soderberg and Christer Oberg
Issue date   : Friday, October 24, 2003
Publish date : Wednesday, November 12, 2003
Application  : SCO UnixWare/Open UNIX procfs
Version(s)   : UnixWare 7.1.1, 7.1.3 and Open UNIX 8.0.0 
Platforms    : SCO UnixWare and Open UNIX
CVE#         : CAN-2003-0937
Availability : http://www.texonet.com/advisories/TEXONET-20031024.txt
-----------------------------------------------------------------------


Problem:
-----------------------------------------------------------------------
Insecure handling of procfs descriptors in UnixWare can lead to local 
privilege escalation. 


Description:
-----------------------------------------------------------------------
"/proc/$PID/as" Contains the address space image of process $PID. It 
can be opened and accessed like any other file and be used to 
manipulate the process. The process owner also owns the "as" file whose
file permission is 600. For obvious reasons this doesn't apply to 
processes spawned from setuid and setgid binaries. This protection can
be bypassed by first obtaining a descriptor to a process you own then 
let that process execve() a setuid binary. execve() will replace the 
process image, honor the setuid bit and the descriptor will remain 
open. Then there is just the matter of finding something interesting 
to write.


Workaround:
-----------------------------------------------------------------------
UnixWare 7.1.1, UnixWare 7.1.3 and Open UNIX 8.0.0

Install the latest packages:

ftp://ftp.sco.com/pub/updates/UnixWare/CSSA-2003-SCO.32

More information:

http://www.sco.com/support/security/


Disclosure Timeline:
-----------------------------------------------------------------------
10/24/2003: Vendor notified by e-mail
11/12/2003: Public release of advisory


About Texonet:
-----------------------------------------------------------------------
Texonet is a Swedish based security company with a focus on penetration
testing / security assessments, research and development.


Contacting Texonet:
-----------------------------------------------------------------------
E-mail:    advisories(-at-)texonet.com
Homepage:  http://www.texonet.com/
Phone:     +46-8-55174611


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ