COMMAND

    pis and mkpis

SYSTEMS AFFECTED

    UnixWare 7.x

PROBLEM

    Brock   Tellier    found   following.      A   vulnerability    in
    /usr/local/bin/pis on SCO UnixWare  will allow any user  to create
    arbitrary  files  with  group  "sys"  privileges.   A  full   root
    compromise is  then trivial.   As usual,  this was  only tested on
    UnixWare 7.1.

    By creating a symlink between /tmp/pisdata and any sys-owned  file
    we  can  overwrite  that  file  with  ps  output.  If we point the
    symlink at a non-existant file  in a directory which we  can write
    to (such as,  say, /sbin/ls), pis  will create this  file mode 666
    owned by us, group of sys.    This is a fairly simple  compromise.
    /sbin is  writable by  group sys.   We can  create files  in /sbin
    owned by us.  And root's default $PATH starts with /sbin.

    bash-2.02$ ls -dal /sbin
    drwxrwxr-x    2 root     sys            3072 Dec 28 08:18 /sbin
    bash-2.02$ ln -s /sbin/xnec /tmp/pisdata
    bash-2.02$ pis
    <program output>
    bash-2.02$ ls -la /sbin/xnec
    -rw-rw-rw-    1 xnec     sys            5896 Dec 28 08:28 /sbin/xnec
    bash-2.02$

    As a bonus,  /usr/local/bin/mkpis is vulnerable  to the same  /tmp
    symlink problem.  It has the same permissions as pis.

SOLUTION

    This  issues  are  security  holes  in the distributed versions of
    this package, and are not  SCO security holes.  Furthermore,  on a
    system with all of the security patches installed, the distributed
    exploit for components of orion  (pis, mkpis) will not even  work.
    Still, SCO  do recognize  that these  issues come  up from time to
    time in open licensed software that we do not control or maintain.
    This is precisely the reason for the Skunkware disclaimer.

    Updated versions will appear on the SCO skunkware site

        http://www.sco.com/skunkware

    as they come available and as they get built for SCO platforms.