CVE-2004-0390

Step 1: Target Identification: The attacker identifies a SCO OpenServer system running a vulnerable version (5.0.5-5.0.7). Step 2: Login Method Selection: The attacker chooses a login method other than scologin (e.g., SSH, telnet) to attempt access to the target system. Step 3: X Server Connection: The attacker attempts to connect to the X server running on the target system, typically by setting the DISPLAY environment variable to point to the target's X server. Step 4: Authentication Bypass: Because the chosen login method doesn't properly enforce Xauthority, the attacker is able to connect to the X server without the correct credentials. Step 5: Session Hijacking: The attacker gains control of the user's X session, allowing them to view the user's desktop, interact with applications, and potentially execute commands with the user's privileges.

The vulnerability stems from a flawed implementation of Xauthority access control within SCO OpenServer. The system relies on scologin for proper Xauthority authentication, but other login methods (e.g., ssh, telnet) do not enforce the same level of security. This creates a bypass. The root cause is the lack of consistent enforcement of Xauthority across all login mechanisms. Specifically, the X server trusts the authentication provided by scologin, but other login methods don't properly set or validate the .Xauthority file, allowing an attacker to connect to the X server without proper authorization. The flaw is not a specific code error like a buffer overflow or race condition, but rather a design flaw in how access control is implemented and enforced across different login pathways.