[<prev] [next>] [day] [month] [year] [list]
Message-ID: <003f01c3a933$41334090$af00a8c0@XPlappytoppy>
From: full-disclosure at texonet.com (Texonet)
Subject: Insecure handling of procfs descriptors in UnixWare 7.1.1, 7.1.3 and Open UNIX 8.0.0 can lead to local privilege escalation.
-----------------------------------------------------------------------
Texonet Security Advisory 20031024
-----------------------------------------------------------------------
Advisory ID : TEXONET-20031024
Authors : Joel Soderberg and Christer Oberg
Issue date : Friday, October 24, 2003
Publish date : Wednesday, November 12, 2003
Application : SCO UnixWare/Open UNIX procfs
Version(s) : UnixWare 7.1.1, 7.1.3 and Open UNIX 8.0.0
Platforms : SCO UnixWare and Open UNIX
CVE# : CAN-2003-0937
Availability : http://www.texonet.com/advisories/TEXONET-20031024.txt
-----------------------------------------------------------------------
Problem:
-----------------------------------------------------------------------
Insecure handling of procfs descriptors in UnixWare can lead to local
privilege escalation.
Description:
-----------------------------------------------------------------------
"/proc/$PID/as" Contains the address space image of process $PID. It
can be opened and accessed like any other file and be used to
manipulate the process. The process owner also owns the "as" file whose
file permission is 600. For obvious reasons this doesn't apply to
processes spawned from setuid and setgid binaries. This protection can
be bypassed by first obtaining a descriptor to a process you own then
let that process execve() a setuid binary. execve() will replace the
process image, honor the setuid bit and the descriptor will remain
open. Then there is just the matter of finding something interesting
to write.
Workaround:
-----------------------------------------------------------------------
UnixWare 7.1.1, UnixWare 7.1.3 and Open UNIX 8.0.0
Install the latest packages:
ftp://ftp.sco.com/pub/updates/UnixWare/CSSA-2003-SCO.32
More information:
http://www.sco.com/support/security/
Disclosure Timeline:
-----------------------------------------------------------------------
10/24/2003: Vendor notified by e-mail
11/12/2003: Public release of advisory
About Texonet:
-----------------------------------------------------------------------
Texonet is a Swedish based security company with a focus on penetration
testing / security assessments, research and development.
Contacting Texonet:
-----------------------------------------------------------------------
E-mail: advisories(-at-)texonet.com
Homepage: http://www.texonet.com/
Phone: +46-8-55174611
Powered by blists - more mailing lists