Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » CSSA-2002-SCO.6- webtop setuid script vulnerability

CSSA-2002-SCO.6- webtop setuid script vulnerability

by Nikola Strahija on February 23rd, 2002 The setuid scripts in the webtop product may be used to gain root privileges.


Vulnerable Supported Versions

Operating System Version Affected Files
------------------------------------------------------------------
UnixWare 7 7.1.1 /opt/webtop/bin/i3un0212/cgi-bin/admin/scoadminreg.cgi
/opt/webtop/bin/i3un0212/cgi-bin/admin/service_action.cgi
Open UNIX 8.0.0 /opt/webtop/bin/i3un0212/cgi-bin/admin/scoadminreg.cgi
/opt/webtop/bin/i3un0212/cgi-bin/admin/service_action.cgi

3. Workaround

If the webtop functionality is not needed, remove the setuid
permissions from the scripts:

# chmod -s /opt/webtop/bin/i3un0212/cgi-bin/admin/scoadminreg.cgi
# chmod -s /opt/webtop/bin/i3un0212/cgi-bin/admin/service_action.cgi


4. UnixWare 7, Open UNIX 8

4.1 Location of Fixed Binaries

ftp://stage.caldera.com/pub/security/openunix/CSSA-2002-SCO.6/


4.2 Verification

MD5 (erg711951b.Z) = 53a0eb6dfe4bc1b1d8361ef1c5b488a6

md5 is available for download from
ftp://stage.caldera.com/pub/security/tools/


4.3 Installing Fixed Binaries

Upgrade the affected binaries with the following commands:

Download erg711951b.Z to the /tmp directory

# uncompress /tmp/erg711951b.Z
# pkgadd -d /tmp/erg711951b


5. References

This and other advisories are located at
http://stage.caldera.com/support/security

This advisory addresses Caldera Security internal incidents
sr859215, fz519942, erg711951.


6. Disclaimer

Caldera International, Inc. is not responsible for the misuse
of any of the information we provide on our website and/or
through our security advisories. Our advisories are a service
to our customers intended to promote secure installation and
use of Caldera International products.


7. Acknowledgements

Caldera would like to thank jggm JeGalGhongMyeung
for the discovery and research of this
vulnerability.


___________________________________________________________________________


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »