Bugtraq: SCO 5.0.5 /bin/doctor nightmare

[btellier () WEBLEY COM (Brock Tellier)]

Greetings,

Sometimes we miss the forest for the trees, security-wise.  It would appear that I was right in my last doctor post "If 
a hole like this exists, there are undoubtedly countless more lurking within." , though I never would've imagined to 
this degree.  It would appear that doctor allows any user to have complete control over the system not via an exploit 
but simply by the nature of the program.  If I didn't know any better, I would guess that doctor was meant to be mode 
700 gone strangely awry and ended up suid-root and world executable.  

The "Command Execution" menu option under "Tools" allows you to run any command you wish with uid/gid 0.  I swear I am 
not making this up.  It doesn't appear as though doctor does any security checks at all. 

Lest you think this is a mere misconfiguration on my part, I re-installed a clean version of 5.0.5+skunkware and 
re-tested.  One has to wonder what is going on in Santa Cruz.

The fix, of course, is to chmod 700 /bin/doctor and not look back.

Brock Tellier
UNIX Systems Administrator
Webley Systems
www.webley.com

<!-- body="end" -->
<HR>

<UL>
<LI><STRONG>Next message:</STRONG> Bencsath Boldizsar: "Re: gftp - ms ftp debug mode"
<LI><STRONG>Previous message:</STRONG> Gérald Grévren: "[Security] Spoofed Id in Bluestone Sapphire/Web"
<LI><STRONG>Next in thread:</STRONG> Frank Bures: "Re: QMS2060 security hole"
<LI><STRONG>Reply:</STRONG> Frank Bures: "Re: QMS2060 security hole"
</UL>
<HR>

<SMALL>

This archive was generated by hypermail 2.0b3 
on Fri Sep 10 1999 - 12:30:48 CDT</EM>
</EM>
</SMALL>
</BODY>
</HTML>