(Vulnerability in lpforms) Re: SCO UNIX Contains Multiple Vulnerabilities That Allow Users to Crash Applications and May Allow Users to Execute Arbitrary Code on the Server
SecurityTracker Alert ID: 1001179|
SecurityTracker URL: http://securitytracker.com/id/1001179
(Links to External Site)
Date: Mar 28 2001
Denial of service via local system, User access via local system|
Exploit Included: Yes |
Version(s): SCO 5.0.6|
Secure Network Operations Strategic Reconnaissance Team issued several advisories for vulnerabilities in SCO UNIX utilities and applications, including lpusers, lpshut, lpadmin, lpforms, recon, and sendmail.|
It is reported that SCO OpenServer 5.0.6 ships with /opt/K/SCO/Unix/5.0.6Ga/usr/lib/lpforms configured as set userid "bin". In addition, lpforms contains a buffer overflow in its handling of command line arguments that will trigger if supplied with more than 6240 characters.
Vendor has reportedly been notified.
A local user can cause the lpforms application to crash and may be able to cause arbitrary code to be executed on the server with the privileges of the user "bin".|
No solution was available at the time of this entry.|
Vendor URL: www.sco.com (Links to External Site)
UNIX (Open UNIX-SCO)|
This archive entry is a follow-up to the message listed below.|
Source Message Contents
Date: Tue, 27 Mar 2001 13:34:02 +0100|
Subject: SCO 5.0.6 issues (lpforms)
Strategic Reconnisiance Team Security Advisory(SRT2001-06)
Topic: SCO 5.0.6 issues (lpforms)
Release Date: 03/27/01
SCO OpenServer 5.0.6 ships with suid bin
lpforms has poor handling of command line arguments resulting in a buffer
lpforms will core dump if fed more than 6240 chars.
/opt/K/SCO/Unix/5.0.6Ga/usr/lib/lpforms `perl -e 'print "A" x 7000'`
Memory fault - core dumped
This problem makes it possible to overwrite memory space of the running
and potentially execute code with the inherited privileges of bin.
.: Systems Affected
SCO OpenServer 5.0.6 upgrade from 5.0.x and 5.0.6 fresh install.
chmod -s /opt/K/SCO/Unix/5.0.6Ga/usr/lib/lpforms
.: Proof of Concept
To be released at a later time.
.: Vendor Status
Vendor was notified on 03/22/01. Vendor lab tests confirmed the issue. Patch
status is unknown.
ęCopyright 2001 Secure Network Operations , Inc. All Rights Reserved.
Strategic Reconnisiance Team | email@example.com
http://recon.snosoft.com | http://www.snosoft.com