SCO UnixWare 7.1.1, 7.1.3, and Open UNIX 8.0.0 contain a flaw that may allow a malicious local user to escalate their privileges. The issue is that procfs descriptors are handled insecurely. This allows malicious users to bypass the protection on a setuid/setgid file's process address space image ('/proc/$PID/as') and manipulate it. It is possible, because of the flaw, for a local user to run arbitrary code as another local user, resulting in a loss of confidentiality, integrity, and/or availability.

Unknown or Incomplete

'/proc/$PID/as' contains the address space image of process $PID. It can be opened and accessed like any other file and be used to manipulate the process. The process owner also owns the 'as' file whose file permission is 600. For obvious reasons this doesn't apply to processes spawned from setuid and setgid binaries. This protection can be bypassed by first obtaining a descriptor to a process you own then let that process execve() a setuid binary. execve() will replace the process image, honor the setuid bit and the descriptor will remain open. Then there is just the matter of finding something interesting to write.

Upgrade to the latest packages, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

• Secunia Advisory ID: 10217
• CVE ID: 2003-0937 (see also: NVD)
• Vendor Specific Solution URL: ftp://ftp.sco.com/pub/updates/UnixWare/CSSA-2003-SCO.32
• Vendor Specific Advisory URL: ftp://ftp.sco.com/pub/updates/UnixWare/CSSA-2003-SCO.32/CSSA-2003-SCO.32.txt
• Generic Informational URL: http://www.texonet.com/advisories/TEXONET-20031024.txt

Unknown or Incomplete