|
Greetings,
Sometimes we miss the forest for the trees,
security-wise. It would appear that I was right in my last doctor post "If
a hole like this exists, there are undoubtedly countless more lurking within." , though I never would've imagined to this
degree. It would appear that doctor allows any user to have complete
control over the system not via an exploit but simply by the nature of the
program. If I didn't know any better, I would guess that doctor was
meant to be mode 700 gone strangely awry and ended up suid-root and world
executable.
The "Command Execution"
menu option under "Tools" allows you to run any command you wish with uid/gid
0. I swear I am not making this up. It doesn't appear as though
doctor does any security checks at all.
Lest you think this is a mere misconfiguration on my part, I re-installed a clean version of 5.0.5+skunkware and re-tested. One has to wonder what is going on in Santa Cruz. The fix, of course, is to chmod 700 /bin/doctor and
not look back.
Brock Tellier
UNIX Systems Administrator
Webley Systems
|
- Re: QMS2060 security hole Brock Tellier
- Re: QMS2060 security hole Frank Bures
