<<< Date Index >>>     <<< Thread Index >>>

Insecure handling of procfs descriptors in UnixWare 7.1.1, 7.1.3 and Open UNIX 8.0.0 can lead to local privilege escalation.



-----------------------------------------------------------------------
Texonet Security Advisory 20031024
-----------------------------------------------------------------------
Advisory ID  : TEXONET-20031024 
Authors      : Joel Soderberg and Christer Oberg
Issue date   : Friday, October 24, 2003
Publish date : Wednesday, November 12, 2003
Application  : SCO UnixWare/Open UNIX procfs
Version(s)   : UnixWare 7.1.1, 7.1.3 and Open UNIX 8.0.0 
Platforms    : SCO UnixWare and Open UNIX
CVE#         : CAN-2003-0937
Availability : http://www.texonet.com/advisories/TEXONET-20031024.txt
-----------------------------------------------------------------------


Problem:
-----------------------------------------------------------------------
Insecure handling of procfs descriptors in UnixWare can lead to local 
privilege escalation. 


Description:
-----------------------------------------------------------------------
"/proc/$PID/as" Contains the address space image of process $PID. It 
can be opened and accessed like any other file and be used to 
manipulate the process. The process owner also owns the "as" file whose
file permission is 600. For obvious reasons this doesn't apply to 
processes spawned from setuid and setgid binaries. This protection can
be bypassed by first obtaining a descriptor to a process you own then 
let that process execve() a setuid binary. execve() will replace the 
process image, honor the setuid bit and the descriptor will remain 
open. Then there is just the matter of finding something interesting 
to write.


Workaround:
-----------------------------------------------------------------------
UnixWare 7.1.1, UnixWare 7.1.3 and Open UNIX 8.0.0

Install the latest packages:

ftp://ftp.sco.com/pub/updates/UnixWare/CSSA-2003-SCO.32

More information:

http://www.sco.com/support/security/


Disclosure Timeline:
-----------------------------------------------------------------------
10/24/2003: Vendor notified by e-mail
11/12/2003: Public release of advisory


About Texonet:
-----------------------------------------------------------------------
Texonet is a Swedish based security company with a focus on penetration
testing / security assessments, research and development.


Contacting Texonet:
-----------------------------------------------------------------------
E-mail:    advisories(-at-)texonet.com
Homepage:  http://www.texonet.com/
Phone:     +46-8-55174611