CVE-1999-0828
published 1999-12-02CVE-1999-0828: UnixWare pkg commands such as pkginfo, pkgcat, and pkgparam allow local users to read arbitrary files via the dacread permission.
PriorityP415low3.6CVSS 2.0
AVLACLAuNCPIPAN
EXPLOIT
EPSS
0.79%
51.5th percentile
UnixWare pkg commands such as pkginfo, pkgcat, and pkgparam allow local users to read arbitrary files via the dacread permission.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sco | unixware | — | — |
| sco | unixware | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
SCO Unixware 7.1 pkgcat - Local Buffer Overflow
exploitdb·1999-12-06
CVE-1999-0828 SCO Unixware 7.1 pkgcat - Local Buffer Overflow
SCO Unixware 7.1 pkgcat - Local Buffer Overflow
---
// source: https://www.securityfocus.com/bid/853/info
It is possible to view the entries in /etc/shadow through exploiting a buffer overflow in pkgcat and pkginstall. Though neither of these binaries are setuid, the dacread permissions which are granted in /etc/security/tcb/privs give them the ability read /etc/shadow. When the oversized buffer data is passed to the programs as argv[1], the stack will be corrupted and it is possible to spawn a program which would "cat" /etc/shadow with the dacread privs.
/**
** UnixWare 7.1 /usr/sbin/pkgcat exploit
** Prints contents of /etc/shadow (execing shell won't be enough here)
** Demonstrates overflow in uw71's gethostbyname() and dacread permissio
n
** problems. Use offsets of +-100.
**
** C
Exploit-DB
SCO Unixware 7.1 pkginstall - Local Buffer Overflow
exploitdb·1999-12-06
CVE-1999-0988 SCO Unixware 7.1 pkginstall - Local Buffer Overflow
SCO Unixware 7.1 pkginstall - Local Buffer Overflow
---
// source: https://www.securityfocus.com/bid/853/info
It is possible to view the entries in /etc/shadow through exploiting a buffer overflow in pkgcat and pkginstall. Though neither of these binaries are setuid, the dacread permissions which are granted in /etc/security/tcb/privs give them the ability read /etc/shadow. When the oversized buffer data is passed to the programs as argv[1], the stack will be corrupted and it is possible to spawn a program which would "cat" /etc/shadow with the dacread privs.
/**
** UnixWare 7.1 /usr/sbin/pkginstall exploit
** Prints contents of /etc/shadow (execing shell won't be enough here)
** Demonstrates overflow in uw71's gethostbyname() and dacread permissio=
n
** problems. Use offsets of +-100
Exploit-DB
SCO Unixware 7.1 - 'pkg' Local Privilege Escalation
exploitdb·1999-12-03
CVE-1999-0828 SCO Unixware 7.1 - 'pkg' Local Privilege Escalation
SCO Unixware 7.1 - 'pkg' Local Privilege Escalation
---
source: https://www.securityfocus.com/bid/850/info
Certain versions of SCO's Unixware (only version 7.1 was tested) ship with a series of package install/removal utilities which due to design issues under the SCO UnixWare operating system may read any file on the system regardless of their permission set. This is due to the package commands (pkginfo, pkgcat, pkgparam, etc.) having extended access due to Discretionary Access
Controls (DAC) via /etc/security/tcb/privs. This mechanism is explained more thoroughly in the original message to Bugtraq which is listed in full in the 'Credit' section of this vulnerability entry.
bash-2.02$ ls -la /bin/pkgparam
-r-xr-xr-x 1 root sys 166784 May 21 1999
/bin/pkgparam
bash-2.02$ /bin/pkgparam
No writeups or analysis indexed.
1999-12-02
Published