Sometimes we miss the forest for the trees, security-wise. It would appear that I was right in my last doctor post "If a hole like this exists, there are undoubtedly countless more lurking within." , though I never would've imagined to this degree. It would appear that doctor allows any user to have complete control over the system not via an exploit but simply by the nature of the program. If I didn't know any better, I would guess that doctor was meant to be mode 700 gone strangely awry and ended up suid-root and world executable.
The "Command Execution" menu option under "Tools" allows you to run any command you wish with uid/gid 0. I swear I am not making this up. It doesn't appear as though doctor does any security checks at all.
Lest you think this is a mere misconfiguration on my part, I re-installed a clean version of 5.0.5+skunkware and re-tested. One has to wonder what is going on in Santa Cruz.
The fix, of course, is to chmod 700 /bin/doctor and not look back.
