Re: SCO POP remote root exploit

[belal () SCO COM (Bela Lubkin)]

A fixed binary is now available in the SCO Security Enhancements
directory on ftp.sco.com:

  ftp://ftp.sco.com/SSE

Get files README and sse013.*.  Check the README for other supplements
that you should also have, depending on your OS release.

The popper fix applies to SCO OpenServer 5.0.0 through 5.0.4, SCO
Internet FastStart 1.0.0 and 1.1.0.  The popper in UnixWare 7 and in
UnixWare 2.x-based Internet FastStart is based on completely different
source and doesn't have this set of problems.

> Bela<

PS: interesting case study.  A friend of mine runs an OSR5 public access
    system.  When this exploit was posted, I immediately broke root on
    his system with it.  I then disabled popper and told him about it.
    He installed a fixed popper binary.  In the succeeding 24 hours,
    syslog showed 5 separate attempts from around the world -- none of
    which succeeded.

    The problem which caused this vulnerability has been well known for
    2-3 weeks.  But until a "no brainer" attack was made available,
    actual attacks weren't happening.