OpenServer 5.0.7 OpenServer 5.0.6 OpenServer 5.0.5 : SCO Internet Manager - local users can gain root level privileges.
To: bugtraq@xxxxxxxxxxxxxxxxx full-disclosure@xxxxxxxxxxxxxxxx
announce@xxxxxxxxxxxxxxxxx
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SCO Security Advisory
Subject: OpenServer 5.0.7 OpenServer 5.0.6 OpenServer 5.0.5 :
SCO Internet Manager - local users can gain root level privileges.
Advisory number: CSSA-2003-SCO.19
Issue date: 2003 September 10
Cross reference: sr883947 fz528244 erg712420
______________________________________________________________________________
1. Problem Description
The SCO Internet Manager (mana) is designed to be run via
the ncsa_httpd on port 615 and it is password protected.
Running /usr/internet/admin/mana/mana locally is however
possible.
By exporting the environment variable REMOTE_ADDR
and setting it to 127.0.0.1 mana is tricked to execute the
file menu.mana as if it was run via the nsca_httpd password
protected area.
An other interesting environment variable is PATH_INFO
which tells mana what .mana file should be run.
This tells us that mana will execute "hostname" when
this file is run. By changing the environment
variables PATH_INFO to /pass-err.mana and PATH to ./:$PATH
would make mana execute ./hostname with root privileges.
2. Vulnerable Supported Versions
System Binaries
----------------------------------------------------------------------
OpenServer 5.0.5 - 5.0.7 /mana/mana
/mana/doc/menu.mana
/mana/doc/initdone.mana
/mana/doc/passerr.mana
/mana/manahttp
3. Solution
The proper solution is to install the latest packages.
4. OpenServer 5.0.7, OpenServer 5.0.6, and OpenServer 5.0.5
4.1 Location of Fixed Binaries
ftp://ftp.sco.com/pub/updates/OpenServer/CSSA-2003-SCO.19
4.2 Verification
MD5 (VOL.000.000) = 37b55df2c9000c703a22baafbe9cef42
md5 is available for download from
ftp://ftp.sco.com/pub/security/tools
4.3 Installing Fixed Binaries
Upgrade the affected binaries with the following sequence:
1) Download the VOL* files to the /tmp directory
2) Run the custom command, specify an install from media
images, and specify the /tmp directory as the location of
the images.
5. References
Specific references for this advisory:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0742
http://www.texonet.com/advisories/TEXONET-20030902.txt
SCO security resources:
http://www.sco.com/support/security/index.html
This security fix closes SCO incidents sr883947 fz528244
erg712420.
6. Disclaimer
SCO is not responsible for the misuse of any of the information
we provide on this website and/or through our security
advisories. Our advisories are a service to our customers
intended to promote secure installation and use of SCO
products.
7. Acknowledgments
SCO would like to thank Texonet. Texonet is a Swedish based
security company with a focus on penetration testing /
security assessments, research and development.
______________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux)
iD8DBQE/ZXLGaqoBO7ipriERAsQnAJ0XHFi5iDf+m3FEXkrfXeg4FJpSogCfc/8o
j07hHDy47bTVZ6Mg7AjZGNU=
=uxcz
-----END PGP SIGNATURE-----