This is a multi-part message in MIME format. ------=_NextPart_000_0092_01BEF9EB.A8747DB0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Greetings, Sometimes we miss the forest for the trees, security-wise. It would = appear that I was right in my last doctor post "If a hole like this = exists, there are undoubtedly countless more lurking within." , though I = never would've imagined to this degree. It would appear that doctor = allows any user to have complete control over the system not via an = exploit but simply by the nature of the program. If I didn't know any = better, I would guess that doctor was meant to be mode 700 gone = strangely awry and ended up suid-root and world executable. =20 The "Command Execution" menu option under "Tools" allows you to run any = command you wish with uid/gid 0. I swear I am not making this up. It = doesn't appear as though doctor does any security checks at all.=20 Lest you think this is a mere misconfiguration on my part, I = re-installed a clean version of 5.0.5+skunkware and re-tested. One has = to wonder what is going on in Santa Cruz. The fix, of course, is to chmod 700 /bin/doctor and not look back. Brock Tellier UNIX Systems Administrator Webley Systems www.webley.com ------=_NextPart_000_0092_01BEF9EB.A8747DB0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META content=3D"text/html; charset=3Diso-8859-1" = http-equiv=3DContent-Type> <META content=3D"MSHTML 5.00.2314.1000" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#ffffff> <DIV><FONT face=3DArial size=3D2>Greetings,</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>Sometimes we miss the forest for the = trees,=20 security-wise. It would appear that I was right in my last doctor = post "If=20 a hole like this exists, there are undoubtedly countless more lurking = <FONT=20 face=3DArial size=3D2>within." , though I never would've imagined = to this=20 degree. It would appear that doctor allows any user to have = complete=20 control over the system not via an exploit but simply by the nature of = the=20 program. If I didn't know any better, I would guess = that doctor was=20 meant to be mode 700 gone strangely awry and ended up suid-root and = world=20 executable. </FONT></FONT></DIV> <DIV><FONT face=3DArial size=3D2><FONT face=3DArial = size=3D2></FONT></FONT> </DIV> <DIV><FONT face=3DArial size=3D2><FONT face=3DArial size=3D2>The = "Command Execution"=20 menu option under "Tools" allows you to run any command you wish with = uid/gid=20 0. I swear I am not making this up. It doesn't appear as = though=20 doctor does any security checks at all. <BR><BR>Lest you think this = is a=20 mere misconfiguration on my part, I re-installed a clean version of=20 5.0.5+skunkware and re-tested. One has to wonder what is going on = in Santa=20 Cruz.</FONT></FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>The fix, of course, is to chmod 700 = /bin/doctor and=20 not look back.</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>Brock Tellier</FONT></DIV> <DIV><FONT face=3DArial size=3D2>UNIX Systems Administrator</FONT></DIV> <DIV><FONT face=3DArial size=3D2>Webley Systems</FONT></DIV> <DIV><FONT face=3DArial size=3D2><A=20 href=3D"http://www.webley.com">www.webley.com</A></FONT></DIV></BODY></HT= ML> ------=_NextPart_000_0092_01BEF9EB.A8747DB0--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:02:34 PDT