=========================================================================== SCO Security Bulletin 00:13 August 7, 2000 Vulnerability in /etc/sysadm.d/bin/user0sa --------------------------------------------------------------------------- The Santa Cruz Operation has discovered the following problem present in our software: I. Description A security vulnerability in the implementation of userOsa has been identified which could allow unprivileged users to overwrite files with group auth permissions. II. Impact Any user may overwrite any file with group auth (i.e. /etc/shadow, /etc/passwd) using /etc/sysadm.d/bin/userOsa. Note that this will not change the permissions of the file or allow for the user to input a passwd entry string into these files, it will simply clobber the contents of the file with error output. When userOsa receives invalid input, it generates a log file called "debug.log" in the current directory. This file is created with group auth permissions, no check for this file's existence is made, and smlinks will be followed. Thus the exploit is as follows: scohack:/tmp$ ln -s /etc/shadow.old debug.log scohack:/tmp$ /etc/sysadm.d/bin/userOsa bah connectFail {{SCO_LOCAL_PIPE_ERR_INVALID_CONNECT_REQ {Invalid ConnectRequest: bah}}} Failed to listen to client Failure in making connection to OSA. III. Releases This problem exists on the following releases of SCO operating systems: - SCO OpenServer 5.0.5 - SCO OpenServer 5.0.4 - SCO OpenServer 5.0.2 - SCO OpenServer 5.0.0 - SCO Internet FastStart 1.0.0 and 1.1.0 IV. Solution SCO is providing interim patches to address this issue in the form of a System Security Enhancement (SSE) package. The SSE package is available for Internet download via anonymous ftp. You can download the patches as follows: Anonymous ftp (World Wide Web URL) ------------- For OpenServer 5 platforms: ftp://ftp.sco.com/SSE/sse068d.tar.Z (tar archive) ftp://ftp.sco.com/SSE/sse068d.ltr (cover letter) Checksums --------- sum -r 56166 5 sse068d.ltr 03244 3095 sse068d.tar.Z Updates: This bulletin is available for anonymous ftp download from ftp://ftp.sco.COM/SSE/security_bulletins/SB.00-13d, and will be updated as new information becomes available. Further Information: If you have further questions, contact your support provider. If you need to contact SCO, please send electronic mail to support@sco.COM, or contact SCO as follows. USA/Canada: 6am-5pm Pacific Time (PST/PDT) ----------- 1-800-347-4381 (voice) 1-408-427-5443 (fax) Pacific Rim, Asia, and Latin American customers: 6am-5pm Pacific ------------------------------------------------ Time (PST/PDT) 1-408-425-4726 (voice) 1-408-427-5443 (fax) Europe, Middle East, Africa: 9am-5:30pm UK Time (GMT/BST) ---------------------------- +44 (0)1923 816344 (voice) +44 (0)1923 817781 (fax)