SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   OS (UNIX)  >   procfs Vendors:   Santa Cruz Operations
SCO UNIX procfs 'as' Access Control Flaw Lets Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1008166
SecurityTracker URL:  http://securitytracker.com/id/1008166
CVE Reference:   CVE-2003-0937   (Links to External Site)
Date:  Nov 13 2003
Impact:   Modification of system information, Root access via local system, User access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): UnixWare 7.1.1, 7.1.3 and Open UNIX 8.0.0
Description:   A vulnerability was reported in SCO UnixWare and Open UNIX in the processing of procfs descriptors. A local user may be able to obtain elevated privileges.

Texonet reported that a local user can bypass security restrictions on the process ID address space image file ('/proc/$PID/as') and write to the file.

A local user can obtain a file descriptor for a process owned by the local user and then have that process call the execve() function for a binary that has set user id (setuid) permissions. According to the report, the execve() function will replace the process image and provide setuid privileges while the descriptor remains open. The local user can then write to the file to obtain setuid privileges.

The following notification timeline is provide:

10/24/2003: Vendor notified by e-mail
11/12/2003: Public release of advisory

Impact:   A local user can obtain elevated privileges, including root level privileges, on the target system.
Solution:   The vendor has reportedly issued fixes for UnixWare 7.1.1, UnixWare 7.1.3 and Open UNIX 8.0.0 [a separate Alert will be issued containing the vendor's official advisory]:

ftp://ftp.sco.com/pub/updates/UnixWare/CSSA-2003-SCO.32

Vendor URL:  www.sco.com/ (Links to External Site)
Cause:   Access control error

Message History:   This archive entry has one or more follow-up message(s) listed below.
Nov 13 2003 (SCO Issues Fix) Re: SCO UNIX procfs 'as' Access Control Flaw Lets Local Users Gain Elevated Privileges
SCO has issued a fix for UnixWare and Open UNIX.



 Source Message Contents

Subject:  Insecure handling of procfs descriptors in UnixWare 7.1.1, 7.1.3 and Open UNIX 8.0.0 can lead to local privilege escalation.


-----------------------------------------------------------------------
Texonet Security Advisory 20031024
-----------------------------------------------------------------------
Advisory ID  : TEXONET-20031024 
Authors      : Joel Soderberg and Christer Oberg
Issue date   : Friday, October 24, 2003
Publish date : Wednesday, November 12, 2003
Application  : SCO UnixWare/Open UNIX procfs
Version(s)   : UnixWare 7.1.1, 7.1.3 and Open UNIX 8.0.0 
Platforms    : SCO UnixWare and Open UNIX
CVE#         : CAN-2003-0937
Availability : http://www.texonet.com/advisories/TEXONET-20031024.txt
-----------------------------------------------------------------------


Problem:
-----------------------------------------------------------------------
Insecure handling of procfs descriptors in UnixWare can lead to local 
privilege escalation. 


Description:
-----------------------------------------------------------------------
"/proc/$PID/as" Contains the address space image of process $PID. It 
can be opened and accessed like any other file and be used to 
manipulate the process. The process owner also owns the "as" file whose
file permission is 600. For obvious reasons this doesn't apply to 
processes spawned from setuid and setgid binaries. This protection can
be bypassed by first obtaining a descriptor to a process you own then 
let that process execve() a setuid binary. execve() will replace the 
process image, honor the setuid bit and the descriptor will remain 
open. Then there is just the matter of finding something interesting 
to write.


Workaround:
-----------------------------------------------------------------------
UnixWare 7.1.1, UnixWare 7.1.3 and Open UNIX 8.0.0

Install the latest packages:

ftp://ftp.sco.com/pub/updates/UnixWare/CSSA-2003-SCO.32

More information:

http://www.sco.com/support/security/


Disclosure Timeline:
-----------------------------------------------------------------------
10/24/2003: Vendor notified by e-mail
11/12/2003: Public release of advisory


About Texonet:
-----------------------------------------------------------------------
Texonet is a Swedish based security company with a focus on penetration
testing / security assessments, research and development.


Contacting Texonet:
-----------------------------------------------------------------------
E-mail:    advisories(-at-)texonet.com
Homepage:  http://www.texonet.com/
Phone:     +46-8-55174611

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC