CVE

Id
968  
CVE No.
CVE-1999-0988  
Status
Candidate  
Description
UnixWare pkgtrans allows local users to read arbitrary files via a symlink attack.  
Phase
Modified (20000121-01)  
Votes
ACCEPT(3) Baker, Blake, Cole | MODIFY(1) Frech | RECAST(1) Stracener | REVIEWING(1) Christey  
Comments
Stracener> The pkg* programs pkgtrans, pkginfo, pkgcat, pkginstall, and pkgparam | can be used to mount etc/shadow printing attacks as a result of the | "dacread" permission (cf. /etc/security/tcb/privs). The procedural | differences between the individual exploits for each of these utilities | are therefore inconsequential. CVE-1999-0988 should be merged with | CVE-1999-0828. From the standpoint of maintaining consistency of the | level of abstraction used in CVE, the co-existence of CANS | 1999-0988/1999-0828 present two choices: either merge 0988 with 0828, or | split 0828 into 4 distinct candidates, keeping 0988 intact. Due to the | very small differences (in principle) between the exploits subsumed by | 0828 and 0988 and the shared dacread permissions of the pkg* suite, I | suggest a merge. Below is a summary of the data upon which my decision | was based. | utility exploit | -------- ---------------------------------- | pkgtrans --> symlink + dacread permission prob | pkginfo --> truss (debugging utility) in conjunction with pkginfio -d | etc/shadow. In this case, it captures the interaction between | pkginfo the shadow file. Once again: dacread. | pkgcat --> buffer overflow + dacread permission prob | pkginstall -> buffer overflow + dacread permission prob | pkgparam --> -f etc/shadow (works because of dacread). | Christey> This is a tough one. While there are few procedural | differences, one could view "assignment of an improper | permission" as a "class" of problems along the lines of | buffer overflows and the like. Just like some programs | were fine until they got turned into CGI scripts, this | could be an emerging pattern which should be given | consideration. Consider the Eyedog and scriptlet.typelib | ActiveX utilities being marked as safe for scripting | (CVE-1999-0668 and 0669). | | ftp://ftp.sco.com/SSE/security_bulletins/SB-99.28a loosely | alludes to this problem; the README for patch SSE053 | effectively confirms it. | Frech> XF:unixware-pkgtrans-symlink  

Actions

Related CVE References

Id CVE Id CVE No. Reference Actions
2344 968 CVE-1999-0988 BUGTRAQ:19991204 UnixWare pkg* command exploits  View
2345 968 CVE-1999-0988 BUGTRAQ:19991215 Recent postings about SCO UnixWare 7  View
2346 968 CVE-1999-0988 BUGTRAQ:19991223 FYI, SCO Security patches available.  View

Related JVN