OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: researchteam5esecurityonline.com
Date: Mon Apr 29 2002 - 14:50:33 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    eSO Security Advisory: 2397
    Discovery Date: March 28, 2000
    ID: eSO:2397
    Title: Sun Solaris admintool -d and PRODVERS buffer
                            overflow vulnerabilities
    Impact: Local attackers can gain root privileges
    Affected Technology: Solaris 2.5, 2.5.1, 2.6, 7, 8 SPARC and x86
    Vendor Status: Patches are available
    Discovered By: Kevin Kotas of the eSecurityOnline Research
                            and Development Team
    CVE Reference: CAN-2002-0089

    Advisory Location:
    http://www.eSecurityOnline.com/advisories/eSO2397.asp

    Description:
    The Sun Solaris admintool utility is vulnerable to multiple buffer
    overflow conditions that allow a local attacker to gain root access.
    The problems are due to insufficient bounds checking on command line
    options and on a configuration file variable. An attacker can use a
    carefully constructed string with the -d command line option or with
    the PRODVERS .cdtoc file variable to gain root privileges.

    The first buffer overflow is related to command line execution of
    admintool with the -d switch, when a long string is used with
    "/Solaris" present.

    The second buffer overflow occurs due to a lack of bounds checking
    for the PRODVERS argument in the .cdtoc file. The .cdtoc file is used
    to specify variables for installation media. Through the
    software/edit/add feature, a local directory can be specified that
    contains a .cdtoc file. The file can contain a string of data for
    the PRODVERS variable that will cause the program to crash or execute
    code when processed.

    Technical Recommendation:
    Apply the following patches.

    Solaris 2.5:
    103247-16

    Solaris 2.5_x86:
    103245-16

    Solaris 2.5.1:
    103558-16

    Solaris 2.5.1_x86:
    103559-16

    Solaris 2.6:
    105800-07

    Solaris 2.6_x86:
    105801-07

    Solaris 7:
    108721-02

    Solaris 7_x86:
    108722-02

    Solaris 8:
    10453-01

    Solaris 8_x86:
    110454-01

    As a workaround solution, remove the setuid permissions with the following:
    chmod -s /usr/bin/admintool

    Vendor site:
    http://sunsolve.sun.com

    Acknowledgements:
    eSecurityOnline would like to thank Sun Microsystems and the Sun security
    team for their cooperation in resolving the issue.

    Copyright 2002 eSecurityOnline LLC. All rights reserved.

    THE INFORMATION IN THIS VULNERABILITY ALERT IS PROVIDED BY
    ESECURITYONLINE LLC "AS IS", "WHERE IS", WITH NO WARRANTY OF ANY KIND,
    AND ESECURITYONLINE LLC HEREBY DISCLAIMS THE IMPLIED WARRANTIES OF
    NON-INFRINGEMENT, MERCHANTABILITY AND FITNESS FOR A PARTICULAR
    PURPOSE. ESECURITYONLINE LLC SHALL HAVE NO LIABILITY FOR ANY DAMAGE,
    CLAIM OR LOSS RESULTING FROM YOUR USE OF THE INFORMATION CONTAINED IN
    THIS VULNERABILITY ALERT.