From security@sco.com Mon Sep 15 16:47:31 2003 From: security@sco.com To: bugtraq@securityfocus.com, full-disclosure@lists.netsys.com, announce@lists.caldera.com Date: Mon, 15 Sep 2003 03:06:54 -0700 Reply-To: please_reply_to_security@sco.com Subject: [Full-Disclosure] OpenServer 5.0.7 OpenServer 5.0.6 OpenServer 5.0.5 : SCO Internet Manager - local users can gain root level privileges. To: bugtraq@securityfocus.com full-disclosure@lists.netsys.com announce@lists.caldera.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SCO Security Advisory Subject: OpenServer 5.0.7 OpenServer 5.0.6 OpenServer 5.0.5 : SCO Internet Manager - local users can gain root level privileges. Advisory number: CSSA-2003-SCO.19 Issue date: 2003 September 10 Cross reference: sr883947 fz528244 erg712420 ______________________________________________________________________________ 1. Problem Description The SCO Internet Manager (mana) is designed to be run via the ncsa_httpd on port 615 and it is password protected. Running /usr/internet/admin/mana/mana locally is however possible. By exporting the environment variable REMOTE_ADDR and setting it to 127.0.0.1 mana is tricked to execute the file menu.mana as if it was run via the nsca_httpd password protected area. An other interesting environment variable is PATH_INFO which tells mana what .mana file should be run. This tells us that mana will execute "hostname" when this file is run. By changing the environment variables PATH_INFO to /pass-err.mana and PATH to ./:$PATH would make mana execute ./hostname with root privileges. 2. Vulnerable Supported Versions System Binaries ---------------------------------------------------------------------- OpenServer 5.0.5 - 5.0.7 /mana/mana /mana/doc/menu.mana /mana/doc/initdone.mana /mana/doc/passerr.mana /mana/manahttp 3. Solution The proper solution is to install the latest packages. 4. OpenServer 5.0.7, OpenServer 5.0.6, and OpenServer 5.0.5 4.1 Location of Fixed Binaries ftp://ftp.sco.com/pub/updates/OpenServer/CSSA-2003-SCO.19 4.2 Verification MD5 (VOL.000.000) = 37b55df2c9000c703a22baafbe9cef42 md5 is available for download from ftp://ftp.sco.com/pub/security/tools 4.3 Installing Fixed Binaries Upgrade the affected binaries with the following sequence: 1) Download the VOL* files to the /tmp directory 2) Run the custom command, specify an install from media images, and specify the /tmp directory as the location of the images. 5. References Specific references for this advisory: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0742 http://www.texonet.com/advisories/TEXONET-20030902.txt SCO security resources: http://www.sco.com/support/security/index.html This security fix closes SCO incidents sr883947 fz528244 erg712420. 6. Disclaimer SCO is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of SCO products. 7. Acknowledgments SCO would like to thank Texonet. Texonet is a Swedish based security company with a focus on penetration testing / security assessments, research and development. ______________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux) iD8DBQE/ZXLGaqoBO7ipriERAsQnAJ0XHFi5iDf+m3FEXkrfXeg4FJpSogCfc/8o j07hHDy47bTVZ6Mg7AjZGNU= =uxcz -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html