Source: cve@mitre.org
SCO UNIX System V/386 Release 3.2, and other SCO products, installs the home directories (1) /tmp for the dos user, and (2) /usr/tmp for the asg user, which allows other users to gain access to those accounts since /tmp and /usr/tmp are world-writable.
SCO UNIX systems are vulnerable due to insecure default configurations that grant world-writable permissions to temporary directories used by specific user accounts. This allows attackers to gain unauthorized access to these accounts, potentially leading to system compromise and data breaches.
Step 1: Identify Vulnerable System: The attacker identifies a SCO UNIX system running a vulnerable version of the software.
Step 2: Access the System: The attacker gains initial access to the system, potentially through other vulnerabilities or social engineering.
Step 3: Locate Temporary Directories: The attacker confirms the existence of the world-writable /tmp and /usr/tmp directories.
Step 4: Craft Malicious Payload: The attacker creates a malicious file (e.g., a shell script) designed to gain privileged access or execute arbitrary commands.
Step 5: Upload Payload: The attacker uploads the malicious file to either /tmp or /usr/tmp.
Step 6: Trigger Execution: The attacker waits for either the dos or asg user to log in or for a process running under their context to execute the malicious file. This could be achieved by waiting for a scheduled task or by attempting to log in as the vulnerable user.
Step 7: Gain Access: The malicious file is executed, granting the attacker control over the target account and potentially the system.
The vulnerability stems from a flawed configuration during the installation of SCO UNIX System V/386 Release 3.2 and other SCO products. The system creates world-writable temporary directories, specifically /tmp for the dos user and /usr/tmp for the asg user. This configuration flaw allows any user to write to these directories. Since these directories are used as the home directories for these specific users, an attacker can place malicious files (e.g., .profile, .login, or other startup scripts) within these directories. When the dos or asg user logs in (or a process runs under their context), the malicious files are executed, granting the attacker control over the user's account and, potentially, the system.
Due to the age of the vulnerability, it's unlikely to be actively targeted by sophisticated APTs. However, it could be exploited by opportunistic attackers or used as part of a broader attack chain. This vulnerability is not listed on the CISA KEV catalog.
Monitor file system activity for unexpected modifications within /tmp and /usr/tmp directories.
Review system logs for suspicious login attempts or process executions related to the dos and asg users.
Implement file integrity monitoring to detect changes to critical system files within /tmp and /usr/tmp.
Network traffic analysis: Look for unusual network activity originating from the compromised system after exploitation.
Verify and correct the permissions on /tmp and /usr/tmp to be read/write/execute only for the owner and group, and no permissions for others (chmod 770 /tmp /usr/tmp).
Remove or disable the dos and asg user accounts if they are not required.
Regularly audit system configurations to identify and remediate insecure settings.
Implement a strong password policy and enforce multi-factor authentication (MFA).
Patch and update the operating system and all installed software to the latest versions.