Bugtraq mailing list archives
SCO 5.0.5 /bin/doctor nightmare
From: btellier () WEBLEY COM (Brock Tellier)
Date: Wed, 8 Sep 1999 11:16:55 -0500
Greetings, Sometimes we miss the forest for the trees, security-wise. It would appear that I was right in my last doctor post "If a hole like this exists, there are undoubtedly countless more lurking within." , though I never would've imagined to this degree. It would appear that doctor allows any user to have complete control over the system not via an exploit but simply by the nature of the program. If I didn't know any better, I would guess that doctor was meant to be mode 700 gone strangely awry and ended up suid-root and world executable. The "Command Execution" menu option under "Tools" allows you to run any command you wish with uid/gid 0. I swear I am not making this up. It doesn't appear as though doctor does any security checks at all. Lest you think this is a mere misconfiguration on my part, I re-installed a clean version of 5.0.5+skunkware and re-tested. One has to wonder what is going on in Santa Cruz. The fix, of course, is to chmod 700 /bin/doctor and not look back. Brock Tellier UNIX Systems Administrator Webley Systems www.webley.com <!-- body="end" --> <HR> <UL> <LI><STRONG>Next message:</STRONG> Bencsath Boldizsar: "Re: gftp - ms ftp debug mode" <LI><STRONG>Previous message:</STRONG> Gérald Grévren: "[Security] Spoofed Id in Bluestone Sapphire/Web" <LI><STRONG>Next in thread:</STRONG> Frank Bures: "Re: QMS2060 security hole" <LI><STRONG>Reply:</STRONG> Frank Bures: "Re: QMS2060 security hole" </UL> <HR> <SMALL> This archive was generated by hypermail 2.0b3 on Fri Sep 10 1999 - 12:30:48 CDT</EM> </EM> </SMALL> </BODY> </HTML>
Current thread:
- SCO 5.0.5 /bin/doctor nightmare Brock Tellier (Sep 08)
- Several ActiveX Buffer Overruns Shane Hird (Sep 23)
- Re: QMS2060 security hole Frank Bures (Sep 24)
- [Announce] mutt-1.0pre3 is out / security fix. Thomas Roessler (Sep 25)
- DoS Exploit in Eicon Diehl LAN ISDN Modem Björn Stickler (Sep 26)