Mitsubishi Electric - Computing for a Connected World Insight CD Home Page

Products
Services
Knowledgebase
Bulletins (IPBs)
Guides
FAQs
Owner's Handbooks
Product Datasheets
Miscellaneous Items
Upgrades
Downloads
Search Insight
E-Mail us
Insight Service
Year 2000
Other Mitsubishi Sites
Site Disclaimer

  
Xenix - Unix I.P.B. 3156 15th Sepember 1993 (PW)
Department Category Implementation
Unix Software Advisory
Previous IPB Next IPB

SCO Operating Systems - Security

SCO have issued the following warning on a possible compromise to system security where TCP/IP is installed on the system. The potential problem is unauthorised access of the "dos" and "asg" accounts, and as a result of this access, unauthorised access of the "root" account.

The releases of SCO products that are affected are as follows:

SCO UNIX System V/386 Release 3.2 Operating System 3.2.0
SCO UNIX System V/386 Release 3.2 Operating System 3.2v2.[01]
SCO UNIX System V/386 Release 3.2 Operating System 3.2v4.[012]
SCO Network Bundle Release 4.x
SCO Open Desktop Release 1.x
SCO Open Desktop Release 2.0
SCO Open Desktop Lite Release 3.0
SCO Open Desktop Release 3.0
SCO Open Server Network System Release 3.0
SCO Open Server Enterprise System Release 3.0

The Santa Cruz Operation recommends that all sites using these SCO products take action to eliminate the source of vulnerability from their systems. This problem will be corrected in upcoming releases of SCO operating systems.

I. Description

The home directories of the users "dos" and "asg" are /tmp and /usr/tmp respectively. These directories have global write permission. This fact may allow unauthorised logins across a network to these users. A sophisticated user may then be able to acquire root privileges. Note, however, that the users "dos" and "asg" do not themselves have root privileges.

II. Impact

This vulnerability may corrupt certain binaries in the system and thus prevent regular users from running them, as well as introduce a potential for unauthorised root access.

III. Solution

The Santa Cruz Operation recommends that all affected sites follow these instructions:

Log onto the system as "root" Choose the following sequence of menu selections from the System Administration Shell, which is invoked by typing "sysadmsh" 

a.   Accounts-->User-->Examine-->[select the "dos" account] -->Identity--
>Home directory-->Create-->Path-->[change it to /usr/dos instead of 
/tmp]-->confirm

b.   Accounts-->User-->Examine-->[select the "asg" account] -->Identity--
>Home directory-->Create-->Path-->[change it to /usr/asg instead of 
/usr/tmp]-->confirm

Verify that no unauthorised entries are in the files /etc/hosts.equiv or /.rhosts. If unauthorised entries are in these files, your system has been compromised. The following command may also help to determine if your system has been compromised. Execute:

last | egrep "dos|asg"

Should the result of this command show that the user "dos" or "asg" has been logged into the system, your system may have been compromised. If your system has been compromised, then use custom(ADM) to remove and re-install the DOS package of the Operating System Extended Utilities. Changing the home directories of these users as shown and removing and re-installing the DOS package will prevent any new attempts to compromise your system using the same method.

Note

Compromising your system with this method involves the co-operation of a current user of the system. A user with sufficient sophistication may gain root access to the system and then use root privileges to thwart detection by the above or other methods Should you feel that this may have happened or continues to happen, it is advisable to take whatever precautions you feel are necessary to prevent or stop the incursion. Please note that systems without TCP/IP are not vulnerable to this particular method of compromising the system.

----------oOo----------

 

Computing for a Connected World