TUCoPS :: SCO :: scoadm~1.htm

Unixware 5.x scoadmin predictable /tmp filenames



    Unixware 5.x (SCO_SV unixdev 3.2 5.0.5 i386)


    Richard Johnson (Strategic  Reconnaissance Team Security  Advisory
    SRT2001-09) found  following.   scoadmin makes  poor use  of /tmp.
    File names are very predictable

    As a user:

        ln -s /etc/passwd /tmp/tclerror.1195.log

    Wait for root to  run scoadmin from xwindows  and viola!  When  he
    does, he will clobber /etc/passwd  with a garbage file.   In order
    to get  the /tmp/tclerror.pid.log  you need  for root  to have  an
    improper term or cause some other error to happen.  A good way  to
    force an error is to  stop xm_vtcld from opening...   kindly leave
    a file where it wants its socket and it will complain.

    As a normal user:

        touch /tmp/5111_342.0

    When root goes to run sco  admin he will get an error  and clobber
    his passwd file due to the ln -s on the tclerror.PID.log you  left
    for him.


    This doesn't work  on UnixWare 7.1.1.   Not sure about  OpenServer
    5.0.6 (that Caldera now has under their own)

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH