COMMAND

	crontab format string vulnerability

SYSTEMS AFFECTED

	 SCO/Caldera OpenServer 5.0.6

	

PROBLEM

	KF [http://www.snosoft.com] found following,  as  related  in  Strategic
	Reconnaissance Team Security Advisory (SRT2002-06-04-1611).
	

	

	The SCO OpenServer crontab application is installed setgid cron and  can
	be used to schedule execution of programs and scripts.
	

	This implementation of crontab contains a  format  string  vulnerability
	which can be used to execute code in order to elevate privileges:
	

	

	 $ crontab %x%x%x%x

	 crontab: cannot open file 8047f08804a5578047cd48047cd4

	

	

	Due to the nature of crontab it is very likely that ones \'cron\'  group
	privileges have been obtained it is possible to get higher privileges
	

	

	 Impact

	 ======

	

	Local users can elevate their privileges trough this vulnerability.

SOLUTION

	The vendor was notified and is diligently working on a fix.  Until  such
	a fix has been made  available  disable  crontab  or  deny  access  from
	untrusted sources to the affected systems.