Source: cve@mitre.org
Vulnerability in login in SCO UNIX 4.2 and earlier allows local users to gain root access.
SCO UNIX 4.2 and earlier systems are vulnerable to a critical local privilege escalation via the login program, allowing attackers to gain root access. This vulnerability, dating back to 1994, poses a significant risk to any legacy systems still in operation, enabling complete system compromise and data exfiltration.
Step 1: Local Access: The attacker must first have local access to the vulnerable system, either through a compromised account or physical access.
Step 2: Exploit Trigger: The attacker executes a crafted exploit, typically by providing a specially formatted username or password to the login program.
Step 3: Input Processing: The login program processes the attacker's input, potentially triggering a buffer overflow or other memory corruption vulnerability.
Step 4: Memory Corruption: The crafted input overwrites critical memory regions, such as the UID, effectively changing the attacker's privileges.
Step 5: Privilege Escalation: The attacker's effective UID is now set to root (0), granting them full system access.
Step 6: Root Access: The attacker can now execute commands with root privileges, allowing them to install backdoors, steal data, or otherwise compromise the system.
The vulnerability stems from a flaw in the login program's handling of user authentication. Specifically, the program likely fails to properly validate user input or has a buffer overflow vulnerability in how it processes the username or password during the login process. This allows a local user to craft a malicious input that overwrites critical memory locations, potentially including the user ID (UID), effectively granting the attacker root privileges. The root cause is likely a combination of insufficient input validation and insecure memory management practices common in older systems.
Due to the age of the vulnerability, it's likely that various threat actors, including both state-sponsored and financially motivated groups, could leverage this exploit. This vulnerability is not likely to be listed in the CISA KEV catalog due to its age and the rarity of the affected systems in modern environments.
Monitor system logs for unusual login attempts, especially those with malformed usernames or passwords.
Analyze core dumps or crash logs for evidence of memory corruption related to the login program.
Use file integrity monitoring (FIM) tools to detect unauthorized modifications to the login binary.
Network monitoring for unusual traffic patterns originating from the compromised system after a successful exploit.
Immediately upgrade to a supported version of SCO UNIX or migrate to a modern operating system.
If upgrading is not possible, apply all available security patches for the affected SCO UNIX version.
Implement strict access controls to limit local user access to the system.
Regularly audit system logs for suspicious activity.
Consider using a host-based intrusion detection system (HIDS) to monitor for malicious activity.