[11814] in bugtraq
SCO 5.0.5 /bin/doctor nightmare
daemon@ATHENA.MIT.EDU (Brock Tellier)
Fri Sep 10 11:20:03 1999
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0092_01BEF9EB.A8747DB0"
Message-Id: <009501befa15$915fe270$3177a8c0@webley>
Date: Wed, 8 Sep 1999 11:16:55 -0500
Reply-To: Brock Tellier <btellier@WEBLEY.COM>
From: Brock Tellier <btellier@WEBLEY.COM>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
This is a multi-part message in MIME format.
------=_NextPart_000_0092_01BEF9EB.A8747DB0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Greetings,
Sometimes we miss the forest for the trees, security-wise. It would =
appear that I was right in my last doctor post "If a hole like this =
exists, there are undoubtedly countless more lurking within." , though I =
never would've imagined to this degree. It would appear that doctor =
allows any user to have complete control over the system not via an =
exploit but simply by the nature of the program. If I didn't know any =
better, I would guess that doctor was meant to be mode 700 gone =
strangely awry and ended up suid-root and world executable. =20
The "Command Execution" menu option under "Tools" allows you to run any =
command you wish with uid/gid 0. I swear I am not making this up. It =
doesn't appear as though doctor does any security checks at all.=20
Lest you think this is a mere misconfiguration on my part, I =
re-installed a clean version of 5.0.5+skunkware and re-tested. One has =
to wonder what is going on in Santa Cruz.
The fix, of course, is to chmod 700 /bin/doctor and not look back.
Brock Tellier
UNIX Systems Administrator
Webley Systems
www.webley.com
------=_NextPart_000_0092_01BEF9EB.A8747DB0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content=3D"text/html; charset=3Diso-8859-1" =
http-equiv=3DContent-Type>
<META content=3D"MSHTML 5.00.2314.1000" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>Greetings,</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>Sometimes we miss the forest for the =
trees,=20
security-wise. It would appear that I was right in my last doctor =
post "If=20
a hole like this exists, there are undoubtedly countless more lurking =
<FONT=20
face=3DArial size=3D2>within." , though I never would've imagined =
to this=20
degree. It would appear that doctor allows any user to have =
complete=20
control over the system not via an exploit but simply by the nature of =
the=20
program. If I didn't know any better, I would guess =
that doctor was=20
meant to be mode 700 gone strangely awry and ended up suid-root and =
world=20
executable. </FONT></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><FONT face=3DArial =
size=3D2></FONT></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2><FONT face=3DArial size=3D2>The =
"Command Execution"=20
menu option under "Tools" allows you to run any command you wish with =
uid/gid=20
0. I swear I am not making this up. It doesn't appear as =
though=20
doctor does any security checks at all. <BR><BR>Lest you think this =
is a=20
mere misconfiguration on my part, I re-installed a clean version of=20
5.0.5+skunkware and re-tested. One has to wonder what is going on =
in Santa=20
Cruz.</FONT></FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>The fix, of course, is to chmod 700 =
/bin/doctor and=20
not look back.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>Brock Tellier</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>UNIX Systems Administrator</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Webley Systems</FONT></DIV>
<DIV><FONT face=3DArial size=3D2><A=20
href=3D"http://www.webley.com">www.webley.com</A></FONT></DIV></BODY></HT=
ML>
------=_NextPart_000_0092_01BEF9EB.A8747DB0--
