Greetings, OVERVIEW Any user can change the owner of any file he or she owns. BACKGROUND All my testing was done on UnixWare 7.1, however chances are excellent that this problem exists for all versions of UnixWare. DETAILS This hole is, erm, different. Apparently any user can change the ownership of any file he or she owns to any other user. But there is no exploit code attached below since all this requires is the use of chown(1). uw71:/usr/home/btellier$ ls -la owned -rw-rw-r-- 1 btellier web 0 Dec 3 15:29 owned uw71:/usr/home/btellier$ chown root owned uw71:/usr/home/btellier$ ls -la owned -rw-rw-r-- 1 root web 0 Dec 3 15:29 owned uw71:/usr/home/btellier$ Interesting, eh? Note that we can NOT change the owner of a suid file without losing the suid bits. Also note that we cannot change the group. Maybe someone else wants to play with this one, but I cannot see any way to make this into instant root. There are, however, a few things that we could do with this privilege: 1. UnixWare's r-services deal doesn't allow an .rhosts file unless the mode is 0xx0, where x can be anything. In addition to this, the user in questionmust also own this file as a security precaution. Various exploits do things like creating any file chmoding it to the user running the exploit. Under UnixWare, this exploit would fail if, for instance, we created . Used in conjuction with this exploit, it would succeed. 2. Any user is able to mask his attempts with various exploits. The best example of this would be my uidadmin exploit which left a shell in /tmp and waited until the next reboot to make it a rootshell. A suspicious sysadmin could easily notice this in /tmp and be tipped off as to who has been rooting his UnixWare box. With this exploit, we could chown it to root or some other user, thereby disassociating ourselves from it. I would welcome any suggestions from any Un*x admin as to what they might use this exploit for, since, whatever it is, it probably affects UnixWare. Brock Tellier UNIX Systems Administrator Chicago, IL, USA btellier@usa.net