=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


    Date: Вт, 21 дек 1999  00:45:57

   От: Michael Almond <mikea@SCO.COM>

 Кому: BUGTRAQ@SECURITYFOCUS.COM

 Тема: SCO OpenServer Security Status

--------------------------------------------------------------------------------




Here is SCO OpenServer's status regarding the recent (and some

not so recent) BUGTRAQ postings:



UnixWare pkg* command exploits

        OpenServer is not vulnerable in exactly the same way via

        dacread privilege  but vulnerabilities exist through

        buffer overflows - we're working on fixing them.



UnixWare coredumps following symlinks

        OpenServer does not have same exact vulnerability wrt s[ug]id

        programs allowed to dump core but but there are vulnerabilities

        with programs that were s[ug]id and have relaxed it and general

        issues of coredumping on symlinked names - we're working on

        fixing both issues.



Fundamental flaw in UnixWare 7 security

        OpenServer has a different security model to UW7 so this is not

        applicable.



UnixWare read/modify users' mail (/var/spool/mail)

        This is also not applicable on OpenServer.  OpenServer's equivalent

        is /usr/spool/mail which has 1777 perms (world-writable, but sticky

      so only owner can delete files).  The local delivery agent will

        not deliver to a file not owned by the recipient; will not follow

        symlinks or write to a file with multiple names (hard links);

        and is designed to avoid race conditions.



UnixWare and the dacread permission

        OpenServer has a different security model to UW7 so this is not

        applicable.



UnixWare gain root with non-su/gid binaries: xauto

        Not applicable to OpenServer.





We are working on the first two vulnerabilities and will have fixes

available by December 31st.



In addition to the first two vulnerabilities, we are also putting the

finishing touches on another large collection of previously reported

OpenServer vulnerabilities (and vulnerabilities we discovered ourselves)

which will be available by December 25th.  The current contents include

(but will not be limited to):



  1. Buffer overflows in:



    /usr/mmdf/chans/smtpsrvr

    /etc/killall

    /etc/popper

    /usr/bin/mscreen

    /usr/bin/rlogin

    /bin/su

    /usr/lib/sysadm/termsh

    /usr/lib/libX11.so.5.0

    /usr/lib/libXt.so.5.0

    /usr/lib/libXmu.so.5.0

    /usr/lib/libXaw.so.5.0

    /usr/lib/libX11.a

    /usr/lib/libXt.a

    /usr/lib/libXmu.a

    /usr/lib/libXaw.a

    /usr/bin/X11/xterm

    /usr/bin/X11/xload

    /usr/bin/X11/scoterm

    /usr/bin/X11/scolock

    /usr/bin/X11/scosession

    /usr/bin/X11/scologin

    /usr/lpd/remote/rlpstat     

    /usr/lpd/remote/cancel

    /usr/lpd/remote/lpmove





  2. Algorithmic vulnerabilities in:



    /etc/sysadm.d/bin/userOsa:

      Can improperly write to privileged files



    /usr/bin/X11/Xsco:

      Can improperly read privileged files

      (also buffer overflows)



    /bin/hello:

      Can improperly acess privileged devices

      Allows transmission of dangerous characters



    /bin/write:

      Allows transmission of dangerous characters



    /bin/login:

      Corrupt /etc/dialups causes login failure

      Insufficient error checking





Michael Almond

mikea@sco.com

SCO OpenServer Team Lead