SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Questions?
Want to learn about SecurityTracker? We've got answers to frequently asked questions right here
Sign Up!





Category:  Application (Generic)  >  Rcp Vendors:  Sun
Sun Solaris 'rcp' Remote Copy Utility May Allow Local Users to Obtain Root Privileges
SecurityTracker Alert ID:  1004632
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 26 2002
Impact:  Execution of arbitrary code via local system, Root access via local system
Description:  A potential vulnerability was reported in the 'rcp' command line utility for Sun Solaris 9. A buffer overflow may exist. If exploitable, a local user could execute arbitrary code with root privileges. However, the report did not confirm whether the utility was exploitable or not.

A local user can send a long command line argument to the 'rcp' utility to trigger a segmentation fault. The report did not indicate whether this could be used by a local user to overwrite memory in such a way that would allow the execution of arbitrary code.

The utility is reportedly configured with set user id (suid) root privileges. If it is possible to execute arbitrary code, then the code would run with root privileges, giving the local user root access on the system.

A demonstration exploit transcript is provided:

bash-2.05$ uname -a
SunOS solaris9 5.9 Generic sun4u sparc SUNW,Ultra-5_10
bash-2.05$ ls -l /usr/sbin/static/rcp
-r-sr-xr-x 1 root bin 787700 Apr 6 16:58 /usr/sbin/static/rcp
bash-2.05$ /usr/sbin/static/rcp `perl -e 'print "A" x 10000'` `perl -e
'print "A" x 10000'`:`perl -e 'print "A" x 10000'`
Segmentation Fault
bash-2.05$ gdb
bash: gdb: command not found
Impact:  A local user can trigger a segmentation fault. It may be possible for a local user to execute arbitrary code with root privileges, however that was not confirmed in the report.
Solution:  No solution was available at the time of this entry.
Vendor URL:  www.sun.com/ (Links to External Site)
Cause:  Boundary error
Underlying OS:  UNIX (Solaris - SunOS)
Underlying OS Comments:  Solaris 9
Reported By:  alex medvedev <alexm@pycckue.org>
Message History:   None.

 Source Message Contents
Date:  Fri, 21 Jun 2002 13:42:04 -0500 (CDT)
From:  alex medvedev <alexm@pycckue.org>
Subject:  solaris 9 sparc rcp

 

hallo,

freshly installed solaris 9 sparc.
one more suid segfault:

bash-2.05$ uname -a
SunOS solaris9 5.9 Generic sun4u sparc SUNW,Ultra-5_10
bash-2.05$ ls -l /usr/sbin/static/rcp
-r-sr-xr-x   1 root     bin       787700 Apr  6 16:58 /usr/sbin/static/rcp
bash-2.05$ /usr/sbin/static/rcp `perl -e 'print "A" x 10000'` `perl -e 
'print "A" x 10000'`:`perl -e 'print "A" x 10000'`
Segmentation Fault
bash-2.05$ gdb 
bash: gdb: command not found
bash-2.05$


-alexm


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2002, SecurityGlobal.net LLC