To: bugtraqsecurityfocus.com announcelists.caldera.com scoannmodxenitec.on.ca

___________________________________________________________________________

            Caldera International, Inc. Security Advisory

Subject: Open UNIX, UnixWare 7: rpc.cmsd can be remotely exploited
Advisory number: CSSA-2002-SCO.12
Issue date: 2002 March 20
Cross reference:
___________________________________________________________________________

1. Problem Description
        
  1.1 Overview

        The rpc.cmsd command would overflow a buffer under certain
        circumstances, allowing the possibility of a remote user to
        gain privilege.

  1.2 Detail
  
        The exploit code provided by jGgM requests program 100068
        version 4 on UDP (implemented by /usr/dt/bin/rpc.cmsd) and
        then does a single RPC call to procedure 21 (rtable_create)
        passing 2 strings, one of which creates a buffer overflow.

        $BASE/server/rtable4.c:_DtCm_rtable_create_4_svc(args) where
        args is of type Table_Op_Args_4: 2 client supplied strings as
        args->target and args->new_target. "new_target" is never used
        and "target" creates the overflow later on.

        _DtCmGetPrefix will overflow its local variable "buf" if the
        "sep" parameter that ends the prefix is not present.

        A secondary problem may also occur because
        _DtCm_rtable_create_4_svc does not make sure that the length
        of args->target is < BUFSIZ.

2. Vulnerable Supported Versions

        Operating System Version Affected Files
        ------------------------------------------------------------------
        UnixWare 7 7.1.1 /usr/dt/bin/rpc.cmsd
        Open UNIX 8.0.0 /usr/dt/bin/rpc.cmsd

3. Workaround

        None.

4. UnixWare 7, Open UNIX 8

  4.1 Location of Fixed Binaries

        ftp://stage.caldera.com/pub/security/openunix/CSSA-2002-SCO.12/

  4.2 Verification

        MD5 (erg711942b.Z) = 64d49dcd622cccbb2e7553e2706bc33d

        md5 is available for download from
                ftp://stage.caldera.com/pub/security/tools/

  4.3 Installing Fixed Binaries

        Upgrade the affected binaries with the following commands:

        Download erg711942b.Z to the /var/spool/pkg directory

        # uncompress /var/spool/pkg/erg711942b.Z
        # pkgadd -d /var/spool/pkg/erg711942b

5. References

        Specific references for this advisory:

                none

        Caldera UNIX security resources:

                http://stage.caldera.com/support/security/
                       
        Caldera OpenLinux security resources:

                http://www.caldera.com/support/security/index.html

        This advisory addresses Caldera Security internal incidents
        sr858623, fz519829, erg711942.

6. Disclaimer

        Caldera International, Inc. is not responsible for the misuse
        of any of the information we provide on our website and/or
        through our security advisories. Our advisories are a service
        to our customers intended to promote secure installation and
        use of Caldera International products.

7. Acknowledgements

        This vulnerability was discovered and researched by jGgM
        <jggmmail.com>.

         
___________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (SCO_SV)
Comment: For info see http://www.gnupg.org

iEUEARECAAYFAjyZF2EACgkQaqoBO7ipriFSbQCgrUwm8ym4nKLyHfc25YRZAjwz
9a8AmJQ7jnggajEQ+zGyftfYJcfQio0=
=ODbR
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]