Notified:  May 09, 2002 Updated: December 12, 2002

Status

Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Title SCO Security Advisory: UnixWare 7.1.1 Open UNIX 8.0.0 : closed file descriptor race vulnerability Detail SCO Security Advisory Subject: UnixWare 7.1.1 Open UNIX 8.0.0 : closed file descriptor race vulnerability Advisory number: CSSA-2002-SCO.43 Issue date: 2002 December 09 Cross reference: 1. Problem Description On current OpenBSD systems, any local user (being or not in the wheel group) can fill the kernel file descriptors table, leading to a denial of service. Because of a flaw in the way the kernel checks closed file descriptors 0-2 when running a setuid program, it is possible to combine these bugs and earn root access by winning a race condition. Since UnixWare does not have a global kernel file descriptors table (it has per-process dynamic file descriptors table), it is not prone to the denial of service attack and the race condition resulting in root exploit. The second problem, however, does exist - closing file descriptors 0, 1 and/or 2 before exec'ing a setuid program can make this program open files under these fds, which have special meanings for libc (stdin/out/err). Reading or writing to root-owned files can be made possible, since stdXX==opened_file. The fix done for BSD is to check (in the kernel) before exec'ing a set[ug]id program if fd 0, 1 and 2 are closed, and if so redirect them to /dev/null. We have done the same fix for UnixWare. This fix will only kick in when an unprivileged process execs a set[ug]id program. 2. Vulnerable Supported Versions System Binaries UnixWare 7.1.1 /etc/conf/pack.d/proc/Driver_atup.o /etc/conf/pack.d/proc/Driver_mp.o Open UNIX 8.0.0 /etc/conf/pack.d/proc/Driver_atup.o /etc/conf/pack.d/proc/Driver_mp.o 3. Solution The proper solution is to install the latest packages. 4. UnixWare 7.1.1 4.1 Location of Fixed Binaries ftp://ftp.sco.com/pub/updates/OpenUNIX/CSSA-2002-SCO.43 4.2 Verification MD5 (erg712059.711.pkg.Z) = 1545beb0d12890de701e129de54bf7b6 md5 is available for download from ftp://ftp.sco.com/pub/security/tools 4.3 Installing Fixed Binaries *** NOTE: THE UW711M2 SUPPLEMENT MUST BE INSTALLED PRIOR TO APPLYING THIS UPDATE. Upgrade the affected binaries with the following sequence: Download erg712059.711.pkg.Z to the /var/spool/pkg directory # uncompress /var/spool/pkg/erg712059.711.pkg.Z # pkgadd -d /var/spool/pkg/erg712059.711.pkg 5. Open UNIX 8.0.0 5.1 Location of Fixed Binaries ftp://ftp.sco.com/pub/updates/OpenUNIX/CSSA-2002-SCO.43 5.2 Verification MD5 (erg712059.ou8.pkg.Z) = 9291ab96576e48b55e981190480855ca md5 is available for download from ftp://ftp.sco.com/pub/security/tools 5.3 Installing Fixed Binaries *** NOTE: THE OU800PK4 SUPPLEMENT MUST BE INSTALLED PRIOR TO APPLYING THIS UPDATE. Upgrade the affected binaries with the following sequence: Download erg712059.ou8.pkg.Z to the /var/spool/pkg directory # uncompress /var/spool/pkg/erg712059.ou8.pkg.Z # pkgadd -d /var/spool/pkg/erg712059.ou8.pkg 6. References Specific references for this advisory: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0766 SCO security resources: http://www.sco.com/support/security/index.html This security fix closes SCO incidents sr865063, fz526562, erg712059. 7. Disclaimer SCO is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of SCO products. 8. Acknowledgements FozZy , et al. discovered and researched this vulnerability.