SCO Curses Library Lets Local Users Escalate Privileges, Possibly Gaining Root Privileges on the Host
|
Date: Jun 23 2001 02:35 (UTC/GMT)
|
Impact: Execution of arbitrary code via local system
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Description: Caldera announced a vulnerability in the SCO curses library that allows a local user to escalate their privileges and possibly obtain root level privileges on the host.
SCO (Caldera) reports that a buffer overrun vulnerability has been found in the curses library. This allows a local user to execute
a set user id (suid) or set group id (sgid) application/command that uses the curses library to trigger the vulnerability and gain
additional privileges.
Two example applications are /usr/lib/sysadm/atcronsh, shipped with OpenServer, and /usr/sbin/rtpm, shipped
with UnixWare 7. Note that the rtpm vulnerability was previous reported.
|
Impact: A local user can obtain escalated privileges, including root level privileges, on the host.
|
Solution: SCO (Caldera) has released patches. SCO notes that the curses library is shipped only as a static library, so an application would
need to be re-linked with this new library to take advantage of the fix. See the Source Message for the SCO/Caldera advisory.
|
Vendor URL: www.sco.com/ (Links to External Site)
|
Cause: Boundary error
|
Underlying OS: UNIX (SCO)
|
Reported By: Andrew Sharpe <asharpe@sco.COM>
|
Message History:
None.
|
Source Message Contents
|
Date: Fri, 22 Jun 2001 10:41:21 -0700
From: Andrew Sharpe <asharpe@sco.COM>
Subject: Caldera Systems security advisory: libcurses, atcronsh, rtpm
|
--8P1HSweYDcXXzwPJ
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
___________________________________________________________________________
Caldera Systems, Inc. Security Advisory
Subject: curses library, rtpm, atcronsh
Advisory number: CSSA-2001-SCO.1
Issue date: 2001 June, 22
Cross reference:
_____________________________________________________________________________
1. Problem Description
A buffer overrun vulnerability has been found in the curses
library. A malicious user could attack a set{uid,gid} command
that uses this library to gain privileges.
One such command that is shipped with OpenServer is
/usr/lib/sysadm/atcronsh.
One such command that is shipped with UnixWare 7 is
/usr/sbin/rtpm.
In addition, the curses library is shipped only as a static
library, so an application would need to be re-linked with
this new library to take advantage of the fix.
2. Vulnerable Versions
Operating System Version Affected Files
----------------------------------------------------------------
UnixWare 7 All /usr/sbin/rtpm
/usr/ccs/lib/libcurses.a
OpenServer <= 5.0.6a /usr/lib/sysadm/atcronsh
/usr/lib/libcurses.a
3. Workaround
For rtpm:
# chmod g-s /usr/sbin/rtpm
For atcronsh:
# chmod g-s /usr/lib/sysadm/atcronsh
Otherwise, none.
4. UnixWare 7
4.1 Location of Fixed Binaries
ftp://ftp.sco.com/pub/security/unixware/sr848806/
4.2 Verification
md5 checksums:
ae2bc5b813dad2c729fb3593b59fd62a libcurses.a.Z
990d9216ed368f2939596104c60bd27b rtpm.Z
md5 is available for download from
ftp://ftp.sco.com/pub/security/tools/
4.3 Installing Fixed Binaries
Backup the existing /usr/ccs/lib/libcurses.a, and replace it
with the provided libcurses.a binary. Ensure that the new
libcurses.a has bin/bin/0444 permissions.
Backup the existing /usr/sbin/rtpm and replace it with the
provided rtpm binary. Ensure that the new rtpm has
bin/sys/02555 permissions.
5. OpenServer
4.1 Location of Fixed Binaries
ftp://ftp.sco.com/pub/security/openserver/sr848771/
libcurses.a is not yet available; expect it within a week of
this advisory.
4.2 Verification
md5 checksums:
bf1ce0570284a1e12256ebac0174f6d4 atcronsh.Z
md5 is available for download from
ftp://ftp.sco.com/pub/security/tools/
4.3 Installing Fixed Binaries
Backup the existing /usr/lib/sysadm/atcronsh and replace it
with the provided atcronsh binary. Ensure that the new
atcronsh has bin/cron/02111 permissions.
Backup the existing /usr/lib/libcurses.a, and replace it
with the provided libcurses.a binary. Ensure that the new
libcurses.a has bin/bin/0644 permissions.
6. References
Caldera security resources are located at the following url:
http://www.calderasystems.com/support/security/index.html
7. Disclaimer
Caldera Systems, Inc. is not responsible for the misuse of any
of the information we provide on this website and/or through
our security advisories. Our advisories are a service to our
customers intended to promote secure installation and use of
Caldera OpenLinux.
8. Acknowledgements
Caldera wishes to thank Aycan Irican <aycan@mars.prosoft.com.tr>
for spotting the UnixWare problem.
Caldera wishes to thank KF <dotslash@snosoft.com> for spotting
the OpenServer problem.
_____________________________________________________________________________
--8P1HSweYDcXXzwPJ
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (SCO_SV)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAjszg0EACgkQom1bqoqwkdT+LQCfRJxpJ2La6Gwa/rQALigBCFFi
vkkAmgMENBIoxo/ri6qf4YkvNqvpYv9m
=MwMA
-----END PGP SIGNATURE-----
--8P1HSweYDcXXzwPJ--
|
|
