|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Secure Network Operations , Inc. (recon
SNOSOFT.COM)Date: Tue Mar 27 2001 - 06:37:20 CST
======================================================================
Strategic Reconnaissance Team Security Advisory(SRT2001-05)
Topic: SCO 5.0.6 issues (lpusers)
Vendor: SCO
Release Date: 03/27/01
======================================================================
.: Description
SCO OpenServer 5.0.6 ships with suid bin
/opt/K/SCO/Unix/5.0.6Ga/usr/lib/lpusers.
lpusers has poor handling of command line arguments resulting in a buffer
overflow.
lpusers will core dump if fed more than 670 chars.
.: Impact
/opt/K/SCO/Unix/5.0.6Ga/usr/lib/lpusers -u `perl -e 'print "A" x 700'`
Memory fault - core dumped
This problem makes it possible to overwrite memory space of the running
process,
and potentially execute code with the inherited privileges of bin.
.: Workaround
chmod -s /opt/K/SCO/Unix/5.0.6Ga/usr/lib/lpusers
.: Systems Affected
SCO OpenServer 5.0.6 upgrade from 5.0.x and 5.0.6 fresh install.
.: Proof of Concept
To be released at a later time.
.: Vendor Status
Vendor was notified on 03/22/01. Vendor lab tests confirmed the issue. Patch
status is unknown.
.: Credit
Kevin Finisterre
dotslashsnosoft.com, krfinisterrecheckfree.com
======================================================================
©Copyright 2001 Secure Network Operations , Inc. All Rights Reserved.
Strategic Reconnaissance Team | reconsnosoft.com
http://recon.snosoft.com | http://www.snosoft.com
----------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]