-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===============================================================================
>>                                                      CERT-NL, 01-Mar-2000 <<
>> All CERT-NL information has been moved to http://cert.surfnet.nl.  Links  <<
>> to CERT-NL information contained in this advisory are therefore outdated. <<
>>                                                                           <<
>> CERT-NL also has stopped the CERT-CC-Mirror service.  Due to this the     <<
>> links to the CERT-CC mirror are obsolete. Visit the CERT-CC site for the  <<
>> complete CERT-CC advisory texts:                     http://www.cert.org  <<
===============================================================================
===============================================================================
Security Advisory                                                       CERT-NL
===============================================================================
Author/Source : CERT-NL (Teun Nijssen)                     Index  :    S-93-19
Distribution  : World                                      Page   :          1
Classification: External                                   Version:      Final
Subject       : SCO Home Directory Vulnerability           Date   :  17-Sep-93
==============================================================================

CERT-NL has received information concerning a vulnerability in several
Santa Cruz Operation's Unix versions.
The following text is taken verbatim from the advisory of CERT-CC, one
of CERT-NL's sister organisations in the USA.

=============================================================================
CA-93:13                         CERT Advisory
                               September 17, 1993
                        SCO Home Directory Vulnerability
- -----------------------------------------------------------------------------

The CERT Coordination Center has received information indicating that SCO
Operating Systems may be vulnerable to a potential compromise of system
security.  This vulnerability allows unauthorized access to the "dos" and
"asg" accounts, and, as a result of this access, unauthorized access to 
the "root" account may also occur.

The following releases of SCO products are affected by this vulnerability:

     SCO UNIX System V/386 Release 3.2 Operating System
     SCO UNIX System V/386 Release 3.2 Operating System Version 2.0
     SCO UNIX System V/386 Release 3.2 Operating System version 4.x
     SCO UNIX System V/386 Release 3.2 Operating System Version 4.0 with
         Maintenance Supplement Version 4.1 and/or Version 4.2
     SCO Network Bundle Release 4.x
     SCO Open Desktop Release 1.x
     SCO Open Desktop Release 2.0
     SCO Open Desktop Lite Release 3.0
     SCO Open Desktop Release 3.0
     SCO Open Server Network System Release 3.0
     SCO Open Server Enterprise System Release 3.0

CERT and The Santa Cruz Operation recommend that all sites using these SCO
products take action to eliminate the source of vulnerability from their
systems.  This problem will be corrected in upcoming releases of SCO
operating systems. 

- -----------------------------------------------------------------------------

I.   Description

     The home directories of the users "dos" and "asg" are /tmp and
     /usr/tmp respectively. These directories are designed to have 
     global write permission. 

II.  Impact

     This vulnerability may allow unauthorized users to gain access to 
     these accounts. This vulnerability may also corrupt certain binaries 
     in the system and thus prevent regular users from running them, as well 
     as introduce a potential for unauthorized root access.

III. Solution

     All affected sites should follow these instructions:

     1. Log onto the system as "root"
     2. Choose the following sequence of menu selections from
        the System Administration Shell, which is invoked by
        typing "sysadmsh"

        a. Accounts-->User-->Examine-->
           [select the "dos" account] -->Identity
           -->Home directory-->Create-->Path-->
           [change it to /usr/dos instead of /tmp]--> confirm

        b. Accounts-->User-->Examine-->
           [select the "asg" account] -->Identity
           -->Home directory-->Create-->Path-->
           [change it to /usr/asg instead of /usr/tmp]--> confirm

     3. If DOS binaries have been modified, or sites are unable to 
        determine if modification has occurred, we strongly recommend 
        removing and reinstalling the DOS package of the Operating System 
        Extended Utilities.  This can be done using custom(ADM).

        Sites may also want to check their systems for signs of further
        compromise. This can be facilitated through the use of programs
        such as COPS. Other security advice and suggestions can be found
        in CERT's security checklist. This checklist may be obtained 
        through anonymous FTP from cert.org in pub/tech_tips/security_info.

        Note: COPS may be obtained from many sites, including via 
        anonymous FTP from cert.org in the pub/tools directory.

If you have further questions about this issue, please contact SCO Support 
and ask for more information concerning this CERT advisory, CA-93:13, "SCO 
Home Directory Vulnerability."

        Electronic mail: support@sco.COM

        Europe, Middle East, Africa: 9am-5:30pm British Standard Time (BST)
        ----------------------------
        +44 (0)923 816344 (voice)
        +44 (0)923 817781 (fax)

- ---------------------------------------------------------------------------
The CERT Coordination Center wishes to thank Christopher Durham of the Santa
Cruz Operation for reporting this problem and his assistance in responding to
this problem.
- ---------------------------------------------------------------------------

CERT-NL thanks CERT-CC for sharing this information with its FIRST partners
and advises its constituency to follow the CERT-CC guidelines in this
advisory.

CERT-NL regrets publishing this advisory during the weekend when hackers
might read this earlier than System Managers, however publishes anyway
because the information has become public via other channels in the past
week.

==============================================================================
CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet
is the Dutch network for educational, research and related institutes. CERT-NL
is a member of the Forum of Incident Response and Security Teams (FIRST).

All CERT-NL material is available under:
  http://cert.surfnet.nl/

In case of computer or network security problems please contact your local
CERT/security-team or CERT-NL  (if your institute is NOT a SURFnet customer
please address the appropriate (local) CERT/security-team).

CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer,
i.e. UTC+0100 in winter and UTC+0200 in summer (DST).

   Email:     cert-nl@surfnet.nl     ATTENDED REGULARLY ALL DAYS
   Phone:     +31 302 305 305        BUSINESS HOURS ONLY
   Fax:       +31 302 305 329        BUSINESS HOURS ONLY
   Snailmail: SURFnet bv
              Attn. CERT-NL
              P.O. Box 19035
              NL - 3501 DA  UTRECHT
              The Netherlands

NOODGEVALLEN:    06 22 92 35 64      ALTIJD BEREIKBAAR
EMERGENCIES : +31 6 22 92 35 64      ATTENDED AT ALL TIMES
CERT-NL'S EMERGENCY PHONENUMBER IS ONLY TO BE USED IN CASE OF EMERGENCIES:
THE SURFNET HELPDESK OPERATING THE EMERGENCY NUMBER HAS A *FIXED*
PROCEDURE FOR DEALING WITH YOUR ALERT AND WILL IN REGULAR CASES RELAY IT
TO CERT-NL IN AN APPROPRIATE MANNER. CERT-NL WILL THEN CONTACT YOU.
===============================================================================

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1i

iQA/AwUBOL6WCDSYjBqwfc9jEQKXkACgnLPviIYNgAnBHuyFIecUgNZKshAAn2B3
8rofcE0gjNyeYulKYIg68Z3+
=50c9
-----END PGP SIGNATURE-----