COMMAND

    scoadmin

SYSTEMS AFFECTED

    Unixware 5.x (SCO_SV unixdev 3.2 5.0.5 i386)

PROBLEM

    Richard Johnson (Strategic  Reconnaissance Team Security  Advisory
    SRT2001-09) found  following.   scoadmin makes  poor use  of /tmp.
    File names are very predictable

    As a user:

        ln -s /etc/passwd /tmp/tclerror.1195.log

    Wait for root to  run scoadmin from xwindows  and viola!  When  he
    does, he will clobber /etc/passwd  with a garbage file.   In order
    to get  the /tmp/tclerror.pid.log  you need  for root  to have  an
    improper term or cause some other error to happen.  A good way  to
    force an error is to  stop xm_vtcld from opening...   kindly leave
    a file where it wants its socket and it will complain.

    As a normal user:

        touch /tmp/5111_342.0

    When root goes to run sco  admin he will get an error  and clobber
    his passwd file due to the ln -s on the tclerror.PID.log you  left
    for him.

SOLUTION

    This doesn't work  on UnixWare 7.1.1.   Not sure about  OpenServer
    5.0.6 (that Caldera now has under their own)