Strategic Reconnaissance Team Security Advisory (SRT2002-06-04-1611)
Topic : SCO OpenServer crontab format string vulnerability Date : June 04, 2002 Credit : KF dotslash[at]snosoft.com Site : http://www.snosoft.com
The SCO OpenServer crontab application is installed setgid cron and can be used to schedule execution of programs and scripts.
This implementation of crontab contains a format string vulnerability which can be used to execute code in order to elevate privileges:
$ crontab %x%x%x%x crontab: cannot open file 8047f08804a5578047cd48047cd4
Due to the nature of crontab it is very likely that ones 'cron' group privileges have been obtained it is possible to get higher privileges
Local users can elevate their privileges trough this vulnerability.
SCO/Caldera OpenServer 5.0.6
The vendor was notified and is diligently working on a fix. Until such a fix has been made available disable crontab or deny access from untrusted sources to the affected systems.