SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   OS (UNIX)  >   OpenServer Utilities (SCO) Vendors:   Santa Cruz Operations
(Vulnerability in lpforms) Re: SCO UNIX Contains Multiple Vulnerabilities That Allow Users to Crash Applications and May Allow Users to Execute Arbitrary Code on the Server
SecurityTracker Alert ID:  1001179
SecurityTracker URL:  http://securitytracker.com/id/1001179
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 28 2001
Impact:   Denial of service via local system, User access via local system
Exploit Included:  Yes  
Version(s): SCO 5.0.6
Description:   Secure Network Operations Strategic Reconnaissance Team issued several advisories for vulnerabilities in SCO UNIX utilities and applications, including lpusers, lpshut, lpadmin, lpforms, recon, and sendmail.

It is reported that SCO OpenServer 5.0.6 ships with /opt/K/SCO/Unix/5.0.6Ga/usr/lib/lpforms configured as set userid "bin". In addition, lpforms contains a buffer overflow in its handling of command line arguments that will trigger if supplied with more than 6240 characters.

Vendor has reportedly been notified.

Impact:   A local user can cause the lpforms application to crash and may be able to cause arbitrary code to be executed on the server with the privileges of the user "bin".
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.sco.com (Links to External Site)
Cause:   Boundary error
Underlying OS:   UNIX (Open UNIX-SCO)

Message History:   This archive entry is a follow-up to the message listed below.
Mar 28 2001 SCO UNIX Contains Multiple Vulnerabilities That Allow Users to Crash Applications and May Allow Users to Execute Arbitrary Code on the Server


 Source Message Contents
Date:  Tue, 27 Mar 2001 13:34:02 +0100
Subject:  SCO 5.0.6 issues (lpforms)


======================================================================
Strategic Reconnisiance Team Security Advisory(SRT2001-06)
Topic: SCO 5.0.6 issues (lpforms)
Vendor: SCO
Release Date: 03/27/01
======================================================================
.: Description
SCO OpenServer 5.0.6 ships with suid bin 
/opt/K/SCO/Unix/5.0.6Ga/usr/lib/lpforms.
lpforms has poor handling of command line arguments resulting in a buffer 
overflow.
lpforms will core dump if fed more than 6240 chars.

.: Impact
/opt/K/SCO/Unix/5.0.6Ga/usr/lib/lpforms `perl -e 'print "A" x 7000'`
Memory fault - core dumped

This problem makes it possible to overwrite memory space of the running 
process,
and potentially execute code with the inherited privileges of bin.

.: Workaround

.: Systems Affected
SCO OpenServer 5.0.6 upgrade from 5.0.x and 5.0.6 fresh install.
chmod -s /opt/K/SCO/Unix/5.0.6Ga/usr/lib/lpforms

.: Proof of Concept
To be released at a later time.

.: Vendor Status
Vendor was notified on 03/22/01. Vendor lab tests confirmed the issue. Patch
status is unknown.

.: Credit
Kevin Finisterre
dotslash@snosoft.com, krfinisterre@checkfree.com

======================================================================
©Copyright 2001 Secure Network Operations , Inc.  All Rights Reserved.
Strategic Reconnisiance Team | recon@snosoft.com
http://recon.snosoft.com     | http://www.snosoft.com
----------------------------------------------------------------------


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC