SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   OS (UNIX)  >   OpenServer Utilities (SCO) Vendors:   Santa Cruz Operations
(Vulnerability in recon) Re: SCO UNIX Contains Multiple Vulnerabilities That Allow Users to Crash Applications and May Allow Users to Execute Arbitrary Code on the Server
SecurityTracker Alert ID:  1001180
SecurityTracker URL:  http://securitytracker.com/id/1001180
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 28 2001
Impact:   Denial of service via local system, User access via local system, error
Exploit Included:  Yes  
Version(s): SCO 5.0.6
Description:   Secure Network Operations Strategic Reconnaissance Team issued several advisories for vulnerabilities in SCO UNIX utilities and applications, including lpusers, lpshut, lpadmin, lpforms, recon, and sendmail.

It is reported that SCO OpenServer 5.0.6 ships with /opt/K/SCO/Unix/5.0.6Ga/usr/bin/recon configured as set userid "root". In addition, recon contains a buffer overflow in its handling of command line arguments that will trigger if supplied with more than 1315 characters.

Vendor has reportedly been notified.
Impact:   A local user can cause the recon application to crash and may be able to cause arbitrary code to be executed on the server with root-level privileges.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.sco.com (Links to External Site)
Cause:   Boundary error
Underlying OS:   UNIX (Open UNIX-SCO)

Message History:   This archive entry is a follow-up to the message listed below.
Mar 28 2001 SCO UNIX Contains Multiple Vulnerabilities That Allow Users to Crash Applications and May Allow Users to Execute Arbitrary Code on the Server


 Source Message Contents
Date:  Tue, 27 Mar 2001 13:39:05 +0100
Subject:  SCO 5.0.6 issues (recon)


======================================================================
Strategic Reconnaissance Team Security Advisory(SRT2001-02)
Topic: SCO 5.0.6 issues (recon)
Vendor: SCO
Release Date: 03/27/01
======================================================================
.: Description
SCO OpenServer 5.0.6 ships with a suid root 
/opt/K/SCO/Unix/5.0.6Ga/usr/bin/recon.
Recon has poor handling of command line arguments resulting in a buffer 
overflow.
The core is dumped upon feeding recon more than 1315 chars

.: Impact
/opt/K/SCO/Unix/5.0.6Ga/usr/bin/recon `perl -e 'print "A" x 3000'`
Memory fault - core dumped

This problem makes it possible to overwrite memory space of the running 
process,
and potentially execute code with the inherited privileges of root.

.: Workaround
chmod -s /opt/K/SCO/Unix/5.0.6Ga/usr/bin/recon

.: Systems Affected
SCO OpenServer 5.0.6 upgrade from 5.0.x and 5.0.6 fresh install.

.: Proof of Concept
To be released at a later time.

.: Vendor Status
Vendor was notified on 03/22/01. Vendor lab tests confirmed the issue. Patch
status is unknown.

.: Credit
Kevin Finisterre
dotslash@snosoft.com, krfinisterre@checkfree.com

======================================================================
©Copyright 2001 Secure Network Operations , Inc.  All Rights Reserved.
Strategic Reconnaissance Team | recon@snosoft.com
http://recon.snosoft.com     | http://www.snosoft.com
----------------------------------------------------------------------


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC