Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » [CSSA-2002-SCO.43] UnixWare 7.1.1 Open UNIX 8.0.0 : closed file descriptor race

[CSSA-2002-SCO.43] UnixWare 7.1.1 Open UNIX 8.0.0 : closed file descriptor race

by Nikola Strahija on December 9th, 2002 On current OpenBSD systems, any local user (being or not in the wheel group) can fill the kernel file descriptors table, leading to a denial of service. Because of a flaw in the way the kernel checks closed file descriptors 0-2 when running a setuid program, it is possible to combine these bugs and earn root access by winning a race condition.


Since UnixWare does not have a global kernel file descriptors
table (it has per-process dynamic file descriptors table), it
is not prone to the denial of service attack and the race
condition resulting in root exploit.

The second problem, however, does exist - closing file
descriptors 0, 1 and/or 2 before exec'ing a setuid program
can make this program open files under these fds, which have
special meanings for libc (stdin/out/err). Reading or writing
to root-owned files can be made possible, since
stdXX==opened_file.

The fix done for BSD is to check (in the kernel) before
exec'ing a set[ug]id program if fd 0, 1 and 2 are closed, and
if so redirect them to /dev/null. We have done the same fix
for UnixWare.

This fix will only kick in when an unprivileged process
execs a set[ug]id program.


2. Vulnerable Supported Versions

System Binaries
----------------------------------------------------------------------
UnixWare 7.1.1 /etc/conf/pack.d/proc/Driver_atup.o
/etc/conf/pack.d/proc/Driver_mp.o

Open UNIX 8.0.0 /etc/conf/pack.d/proc/Driver_atup.o
/etc/conf/pack.d/proc/Driver_mp.o


3. Solution

The proper solution is to install the latest packages.


4. UnixWare 7.1.1

4.1 Location of Fixed Binaries

ftp://ftp.sco.com/pub/updates/OpenUNIX/CSSA-2002-SCO.43


4.2 Verification

MD5 (erg712059.711.pkg.Z) = 1545beb0d12890de701e129de54bf7b6

md5 is available for download from
ftp://ftp.sco.com/pub/security/tools


4.3 Installing Fixed Binaries

*** NOTE: THE UW711M2 SUPPLEMENT MUST BE INSTALLED PRIOR TO
APPLYING THIS UPDATE.

Upgrade the affected binaries with the following sequence:

Download erg712059.711.pkg.Z to the /var/spool/pkg directory

# uncompress /var/spool/pkg/erg712059.711.pkg.Z
# pkgadd -d /var/spool/pkg/erg712059.711.pkg


5. Open UNIX 8.0.0

5.1 Location of Fixed Binaries

ftp://ftp.sco.com/pub/updates/OpenUNIX/CSSA-2002-SCO.43


5.2 Verification

MD5 (erg712059.ou8.pkg.Z) = 9291ab96576e48b55e981190480855ca

md5 is available for download from
ftp://ftp.sco.com/pub/security/tools


5.3 Installing Fixed Binaries

*** NOTE: THE OU800PK4 SUPPLEMENT MUST BE INSTALLED PRIOR TO
APPLYING THIS UPDATE.

Upgrade the affected binaries with the following sequence:

Download erg712059.ou8.pkg.Z to the /var/spool/pkg directory

# uncompress /var/spool/pkg/erg712059.ou8.pkg.Z
# pkgadd -d /var/spool/pkg/erg712059.ou8.pkg


6. References

Specific references for this advisory:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0766

SCO security resources:

http://www.sco.com/support/security/index.html

This security fix closes SCO incidents sr865063, fz526562,
erg712059.


7. Disclaimer

SCO is not responsible for the misuse of any of the information
we provide on this website and/or through our security
advisories. Our advisories are a service to our customers
intended to promote secure installation and use of SCO
products.


8. Acknowledgements

FozZy , et al. discovered and researched
this vulnerability.


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »