Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
From: Secure Network Operations , Inc. (reconSNOSOFT.COM)
Date: Tue Mar 27 2001 - 06:39:54 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Strategic Reconnaissance Team Security Advisory(SRT2001-01)
    Topic: SCO 5.0.6 MMDF issues (sendmail 8.9.3)
    Vendor: SCO
    Release Date: 03/27/01
    .: Description
    SCO OpenServer 5.0.6 ships with a previously known buggy MMDF package.
    SCO Security Bulletin 2000.06 states "Recently Network Associates, Inc.
    issued a SECURITY ADVISORY against all versions of MMDF prior to the
    beta release 2.44a-B4" however SCO still released OpenServer 5.0.6 with
    version 2.43.3b of MMDF. The sendmail 8.9.3 binary has poor handling of
    command line arguments resulting in a buffer overflow.

    .: Impact
    /opt/K/SCO/MMDF/2.43.3b/usr/lib/sendmail `perl -e 'print "A" x 3000'`
    Memory fault - core dumped

    This problem makes it possible to overwrite memory space of the running
    and potentially execute code with the inherited privileges of the mmdf
    uid=17(mmdf) gid=22(mmdf) groups=22(mmdf)

    .: Workaround
    chmod -s /opt/K/SCO/MMDF/2.43.3b/usr/lib/sendmail
    upgrade to a newer version of MMDF.

    .: Systems Affected
    SCO OpenServer 5.0.6 upgrade from 5.0.x and 5.0.6 fresh install.

    .: Proof of Concept
    To be released at a later time. Existing 5.0.x sendmail exploits may be valid.

    .: Vendor Status
    Vendor was notified on 03/22/01. Vendor lab tests confirmed the issue. Patch
    status is unknown.

    .: References
    Original SCO advisory

    .: Credit
    Kevin Finisterre
    dotslashsnosoft.com, krfinisterrecheckfree.com

    ęCopyright 2001 Secure Network Operations , Inc. All Rights Reserved.
    Strategic Reconnaissance Team | reconsnosoft.com
    http://recon.snosoft.com | http://www.snosoft.com