SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Scoadminreg (Webtop) Vendors:   Caldera/SCO
(Vendor Issues Fix) Re: Caldera 'scoadminreg.cgi' Component of UnixWare Webtop Lets Local Users Execute Arbitrary Code with Root Privileges to Gain Root Access
SecurityTracker Alert ID:  1003616
SecurityTracker URL:  http://securitytracker.com/id/1003616
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Feb 21 2002
Impact:   Execution of arbitrary code via local system, Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in the scoadminreg.cgi component of the Caldera/SCO UnixWare Webtop application. A local user can obtain root level privileges on the system.

A local user can execute the scoadminreg utility with a '-c' command line switch and user-supplied program to cause a SCOadmin object registration error. It is reported that the user-supplied program can then be executed with effective root privileges.

According to the report, the following command will trigger the vulnerability (where '/tmp/jggm' is a program that will create a root-owned shell):

/opt/webtop/bin/i3un0212/cgi-bin/admin/scoadminreg.cgi -c /tmp/jggm;/tmp/jggm;

A demonstration exploit script is provided in the Source Message.

Impact:   A local user can cause arbitrary code to be executed with root privileges on the host.
Solution:   The vendor has released a fix for UnixWare 7 and Open UNIX 8:

ftp://stage.caldera.com/pub/security/openunix/CSSA-2002-SCO.6/

The verification checksums are:

MD5 (erg711951.Z) = 2f57c25ba7cd3fb0c5ba6ebb7e7fa5f8

Upgrade the affected binaries with the following commands:

Download erg711951.Z to the /tmp directory

# uncompress /tmp/erg711951.Z
# pkgadd -d /tmp/erg711951

As a workaround, you can remove the setuid permissions from the scripts if webtop is not needed:

# chmod -s /opt/webtop/bin/i3un0212/cgi-bin/admin/scoadminreg.cgi
# chmod -s /opt/webtop/bin/i3un0212/cgi-bin/admin/service_action.cgi

Vendor URL:  www.caldera.com/ (Links to External Site)
Cause:   Access control error, Exception handling error, State error
Underlying OS:  UNIX (Open UNIX-SCO)
Underlying OS Comments:  UnixWare 7.1.1, Open UNIX 8

Message History:   This archive entry is a follow-up to the message listed below.
Jan 23 2002 Caldera 'scoadminreg.cgi' Component of UnixWare Webtop Lets Local Users Execute Arbitrary Code with Root Privileges to Gain Root Access



 Source Message Contents

Subject:  Open UNIX, UnixWare 7: Webtop setuid script vulnerability


This is a multi-part message in MIME format.
--------------FF7A90E434377B9AA0339756
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

ftp://stage.caldera.com/pub/security/openunix/CSSA-2002-SCO.6/CSSA-2002-SCO.6.txt
--------------FF7A90E434377B9AA0339756
Content-Type: text/plain; charset=us-ascii;
 name="CSSA-2002-SCO.6.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="CSSA-2002-SCO.6.txt"

___________________________________________________________________________

	    Caldera International, Inc. Security Advisory

Subject:		Open UNIX, UnixWare 7: Webtop setuid script vulnerability
Advisory number: 	CSSA-2002-SCO.6
Issue date: 		2002 February 21
Cross reference:
___________________________________________________________________________


1. Problem Description
	
	The setuid scripts in the webtop product  may  be used to gain
	root privileges.


2. Vulnerable Supported Versions

	Operating System	Version		Affected Files
	------------------------------------------------------------------
	UnixWare 7		7.1.1		/opt/webtop/bin/i3un0212/cgi-bin/admin/scoadminreg.cgi
						/opt/webtop/bin/i3un0212/cgi-bin/admin/service_action.cgi
	Open UNIX		8.0.0		/opt/webtop/bin/i3un0212/cgi-bin/admin/scoadminreg.cgi
						/opt/webtop/bin/i3un0212/cgi-bin/admin/service_action.cgi

3. Workaround

	If the webtop functionality is not needed, remove the setuid
	permissions from the scripts:

	# chmod -s /opt/webtop/bin/i3un0212/cgi-bin/admin/scoadminreg.cgi
	# chmod -s /opt/webtop/bin/i3un0212/cgi-bin/admin/service_action.cgi


4. UnixWare 7, Open UNIX 8

  4.1 Location of Fixed Binaries

	ftp://stage.caldera.com/pub/security/openunix/CSSA-2002-SCO.6/


  4.2 Verification

	MD5 (erg711951.Z) = 2f57c25ba7cd3fb0c5ba6ebb7e7fa5f8

	md5 is available for download from
		ftp://stage.caldera.com/pub/security/tools/


  4.3 Installing Fixed Binaries

	Upgrade the affected binaries with the following commands:

	Download erg711951.Z to the /tmp directory

	# uncompress /tmp/erg711951.Z
	# pkgadd -d /tmp/erg711951


5. References

	This and other advisories are located at
		http://stage.caldera.com/support/security

	This  advisory addresses Caldera Security  internal  incidents
	sr859215, fz519942, erg711951.


6. Disclaimer

	Caldera International, Inc. is not responsible for  the misuse
	of  any of  the  information we provide on our  website and/or
	through our security advisories.  Our advisories are a service
	to our  customers  intended to promote secure installation and
	use of Caldera International products.


7. Acknowledgements

	Caldera   would    like   to   thank   jggm   JeGalGhongMyeung
	<jggm@mail.com>  for  the  discovery  and  research   of  this
	vulnerability.
		       
	 
___________________________________________________________________________

--------------FF7A90E434377B9AA0339756--



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC