COMMAND

    /bin/doctor

SYSTEMS AFFECTED

    SCO 5.0.4, 5.0.5

PROBLEM

    Brock Tellier found following.   There is a local root  comprimise
    in  SCO  5.0.5's  /bin/doctor  2.0.0e2  and  probably  others.  By
    supplying a doctor script file you can read the first partial line
    of any file on the system (good enough for /etc/shadow).  Example:

        scobox:/bin$ id
        uid=3D136(btellier),200(users)
        scobox:/bin$ uname -a
        SCO_SV scobox 3.2 5.0.5 i386
        scobox:/bin$ doctor -V
        doctor 2.0.0e 2
        scobox:/bin$ doctor -s /etc/shadow
        doctor: WARNING User message: invalid command name "root:xbfOLR0ekXN/o:10656::"
        scobox:/bin$

    And so  on.   On 5.0.4  this works  as well.   Appears that doctor
    allows any user to have  complete control over the system  not via
    an exploit but simply by the nature of the program.  If we  didn't
    know any better, we would guess  that doctor was meant to be  mode
    700  gone  strangely  awry  and  ended  up  suid-root  and   world
    executable.

    The "Command Execution"  menu option under  "Tools" allows you  to
    run any  command you  wish with  uid/gid 0!!!   It doesn't  appear
    as though doctor does any security checks at all.

SOLUTION

    Just chmod -s until SCO comes out with a fix.