OpenServer 5.0.7 OpenServer 5.0.6 OpenServer 5.0.5 : SCO Internet Manager - local users can gain root level privileges.

To: bugtraq@xxxxxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxx, announce@xxxxxxxxxxxxxxxxx
Subject: OpenServer 5.0.7 OpenServer 5.0.6 OpenServer 5.0.5 : SCO Internet Manager - local users can gain root level privileges.
From: security@xxxxxxx
Date: Mon, 15 Sep 2003 03:06:54 -0700
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Reply-to: please_reply_to_security@xxxxxxx
User-agent: Mutt/1.2.5i

To: bugtraq@xxxxxxxxxxxxxxxxx full-disclosure@xxxxxxxxxxxxxxxx 
announce@xxxxxxxxxxxxxxxxx

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


______________________________________________________________________________

                        SCO Security Advisory

Subject:                OpenServer 5.0.7 OpenServer 5.0.6 OpenServer 5.0.5 : 
SCO Internet Manager - local users can gain root level privileges.
Advisory number:        CSSA-2003-SCO.19
Issue date:             2003 September 10
Cross reference:        sr883947 fz528244 erg712420
______________________________________________________________________________


1. Problem Description

         The SCO Internet Manager (mana) is designed to be run via
         the ncsa_httpd on port 615 and it is password protected.

         Running /usr/internet/admin/mana/mana locally is however
         possible. 
         
         By exporting the environment variable REMOTE_ADDR
         and setting it to 127.0.0.1 mana is tricked to execute the
         file menu.mana as if it was run via the nsca_httpd password
         protected area. 
         
         An other interesting environment variable is PATH_INFO 
         which tells mana what .mana file should be run. 
         
         This tells us that mana will execute "hostname" when 
         this file is run. By changing the environment
         variables PATH_INFO to /pass-err.mana and PATH to ./:$PATH
         would make mana execute ./hostname with root privileges.


2. Vulnerable Supported Versions

        System                          Binaries
        ----------------------------------------------------------------------
        OpenServer 5.0.5 - 5.0.7        /mana/mana
                                        /mana/doc/menu.mana
                                        /mana/doc/initdone.mana
                                        /mana/doc/passerr.mana
                                        /mana/manahttp

3. Solution

        The proper solution is to install the latest packages.


4. OpenServer 5.0.7, OpenServer 5.0.6, and OpenServer 5.0.5

        4.1 Location of Fixed Binaries

        ftp://ftp.sco.com/pub/updates/OpenServer/CSSA-2003-SCO.19


        4.2 Verification

        MD5 (VOL.000.000) = 37b55df2c9000c703a22baafbe9cef42

        md5 is available for download from
                ftp://ftp.sco.com/pub/security/tools


        4.3 Installing Fixed Binaries

        Upgrade the affected binaries with the following sequence:

        1) Download the VOL* files to the /tmp directory

        2) Run the custom command, specify an install from media
        images, and specify the /tmp directory as the location of
        the images.


5. References

        Specific references for this advisory:
                http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0742 
                http://www.texonet.com/advisories/TEXONET-20030902.txt

        SCO security resources:
                http://www.sco.com/support/security/index.html

        This security fix closes SCO incidents sr883947 fz528244
        erg712420.


6. Disclaimer

        SCO is not responsible for the misuse of any of the information
        we provide on this website and/or through our security
        advisories. Our advisories are a service to our customers
        intended to promote secure installation and use of SCO
        products.


7. Acknowledgments

        SCO would like to thank Texonet. Texonet is a Swedish based
        security company with a focus on penetration testing /
        security assessments, research and development.

______________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux)

iD8DBQE/ZXLGaqoBO7ipriERAsQnAJ0XHFi5iDf+m3FEXkrfXeg4FJpSogCfc/8o
j07hHDy47bTVZ6Mg7AjZGNU=
=uxcz
-----END PGP SIGNATURE-----

Prev by Date: ChatZilla <=v0.8.23 remote DoS vulnerability
Next by Date: GLSA: mysql (200309-08)
Previous by thread: ChatZilla <=v0.8.23 remote DoS vulnerability
Next by thread: GLSA: mysql (200309-08)
Index(es):
- Date
- Thread