Date: Thu, 16 Jul 1998 16:03:58 -0700
From: Bela Lubkin <belal@SCO.COM>
To: BUGTRAQ@NETSPACE.ORG
Subject: Re: SCO POP remote root exploit
A fixed binary is now available in the SCO Security Enhancements
directory on ftp.sco.com:
ftp://ftp.sco.com/SSE
Get files README and sse013.*. Check the README for other supplements
that you should also have, depending on your OS release.
The popper fix applies to SCO OpenServer 5.0.0 through 5.0.4, SCO
Internet FastStart 1.0.0 and 1.1.0. The popper in UnixWare 7 and in
UnixWare 2.x-based Internet FastStart is based on completely different
source and doesn't have this set of problems.
>Bela<
PS: interesting case study. A friend of mine runs an OSR5 public access
system. When this exploit was posted, I immediately broke root on
his system with it. I then disabled popper and told him about it.
He installed a fixed popper binary. In the succeeding 24 hours,
syslog showed 5 separate attempts from around the world -- none of
which succeeded.
The problem which caused this vulnerability has been well known for
2-3 weeks. But until a "no brainer" attack was made available,
actual attacks weren't happening.
