CVE-2000-0003

Vulnerability

A buffer overflow vulnerability exists in the rtpm program shipped with UnixWare. The program fails to properly bounds-check an environmental variable before copying it into a fixed-size buffer. This allows a local attacker to overflow the buffer by supplying an overly long value for the affected variable. The vulnerability is present in versions of UnixWare prior to the patch released in January 2000 [1].

Exploitation

Exploitation requires local access to the system. The attacker sets the targeted environmental variable to a value exceeding the buffer capacity, then executes the rtpm program. The overflow corrupts adjacent memory, potentially overwriting the return address or other critical data. No authentication beyond a local user account is needed; the attacker must be able to run the rtpm binary.

Impact

Successful exploitation allows the attacker to execute arbitrary code with the privileges of the rtpm process. Since rtpm may run with elevated privileges (e.g., setuid root), this can result in full root compromise. The impact is local privilege escalation from a standard user account to superuser.

Mitigation

SCO released patches for this vulnerability in January 2000, available from the SCO security website [1]. Administrators should apply the appropriate patch for their UnixWare version. If patching is not possible, removing the setuid bit from the rtpm binary or restricting access to trusted users may reduce risk, but these are incomplete workarounds.