OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: researchteam5esecurityonline.com
Date: Mon Apr 29 2002 - 14:55:15 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    eSO Security Advisory: 2406
    Discovery Date: March 31, 2000
    ID: eSO:2406
    Title: CDE dtprintinfo Help search buffer overflow
                            vulnerability
    Impact: Local attackers can gain root level access
    Affected Technology: Solaris 2.4, 2.5, 2.5.1, 2.6, 7, 8 SPARC and x86
                            HP-UX 10.10, 10.20, 10.24, 11.00, 11.04, 11.11
                            IBM AIX 4.3, 4.3.1, 4.3.2, 4.3.3
                            Compaq Tru64 5.1A, 5.1, 5.0A, 4.0G, 4.0F
                            CDE
    Vendor Status: Patches are available
    Discovered By: Kevin Kotas of the eSecurityOnline Research
                            and Development Team
    CVE Reference: CAN-2001-0551

    Advisory Location:
    http://www.eSecurityOnline.com/advisories/eSO2406.asp

    Description:
    The CDE dtprintinfo program is vulnerable to a buffer overflow
    condition that allows a local attacker to gain root access. The
    problem occurs due to insufficient bounds checking in the Volume
    search field from the Help section. An attacker can insert a specially
    crafted string for the search parameter and gain root privileges.

    In the dtprintinfo Help, an Index search function permits querying by
    keyword. If a string of appropriate length is inserted into the
    'Entries with' field and a single Help Volume is selected for the
    search, an exploitable buffer overflow will occur.

    Technical Recommendation:
    Upgrade with the following patches.

    Solaris 2.4, 2.5, 2.5.1 SPARC:
    105076-04

    Solaris 2.4, 2.5, 2.5.1 x86:
    105354-04

    Solaris 2.6 SPARC:
    106242-03

    Solaris 2.6 x86:
    106243-03

    Solaris 7 SPARC:
    107178-02

    Solaris 7 x86:
    107179-02

    Solaris 8 SPARC:
    108949-04

    Solaris 8 x86:
    108950-04

    IBM AIX:

    AIX 4.3.x:
    APAR #IY21539

    AIX 5.1:
    APAR #IY20917

    Compaq:
    SSRT1-78U
    SSRT0788U
    SSRT0757U
    SSRT-541

    HP-UX:
    10.10: PHSS_23355
    10.20: PHSS_23796
    10.24: PHSS_24097
    11.00: PHSS_23797
    11.04: PHSS_24098
    11.11: PHSS_24087, PHSS_24091

    Acknowledgements:
    eSecurityOnline would like to thank Sun Microsystems and the Sun
    security team for their cooperation in resolving the issue.

    Copyright 2002 eSecurityOnline LLC. All rights reserved.

    THE INFORMATION IN THIS VULNERABILITY ALERT IS PROVIDED BY
    ESECURITYONLINE LLC "AS IS", "WHERE IS", WITH NO WARRANTY OF ANY KIND,
    AND ESECURITYONLINE LLC HEREBY DISCLAIMS THE IMPLIED WARRANTIES OF
    NON-INFRINGEMENT, MERCHANTABILITY AND FITNESS FOR A PARTICULAR
    PURPOSE. ESECURITYONLINE LLC SHALL HAVE NO LIABILITY FOR ANY DAMAGE,
    CLAIM OR LOSS RESULTING FROM YOUR USE OF THE INFORMATION CONTAINED IN
    THIS VULNERABILITY ALERT.