(Vulnerability in MMDF/Sendmail) Re: SCO UNIX Contains Multiple Vulnerabilities That Allow Users to Crash Applications and May Allow Users to Execute Arbitrary Code on the Server
|
|
SecurityTracker Alert ID: 1001183 |
|
SecurityTracker URL: http://securitytracker.com/id/1001183
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Mar 28 2001
|
Impact:
Denial of service via local system, User access via local system
|
Exploit Included: Yes
|
Version(s): SCO 5.0.6
|
Description:
Secure Network Operations Strategic Reconnaissance Team issued several advisories for vulnerabilities in SCO UNIX utilities and applications, including lpusers, lpshut, lpadmin, lpforms, recon, and sendmail.
It is reported that SCO OpenServer 5.0.6 ships with a previously known to be vulnerable buggy MMDF package (sendmail 8.9.3). SCO Security Bulletin 2000.06 reportedly states "Recently Network Associates, Inc. issued a SECURITY ADVISORY against all versions of MMDF prior to the beta release 2.44a-B4." However, OpenServer 5.0.6 ships with version 2.43.3b of MMDF.
In this version, sendmail contains a buffer overflow in its handling of command line arguments.
|
Impact:
A local user can cause the sendmail application to crash and may be able to cause arbitrary code to be executed on the server with the with the inherited privileges of the mmdf subsystem (uid and gid = mmdf).
|
Solution:
No solution was available at the time of this entry.
|
Vendor URL: www.sco.com (Links to External Site)
|
Cause:
Boundary error
|
Underlying OS:
UNIX (Open UNIX-SCO)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Tue, 27 Mar 2001 13:39:54 +0100
Subject: SCO 5.0.6 MMDF issues (sendmail 8.9.3)
|
======================================================================
Strategic Reconnaissance Team Security Advisory(SRT2001-01)
Topic: SCO 5.0.6 MMDF issues (sendmail 8.9.3)
Vendor: SCO
Release Date: 03/27/01
======================================================================
.: Description
SCO OpenServer 5.0.6 ships with a previously known buggy MMDF package.
SCO Security Bulletin 2000.06 states "Recently Network Associates, Inc.
issued a SECURITY ADVISORY against all versions of MMDF prior to the
beta release 2.44a-B4" however SCO still released OpenServer 5.0.6 with
version 2.43.3b of MMDF. The sendmail 8.9.3 binary has poor handling of
command line arguments resulting in a buffer overflow.
.: Impact
/opt/K/SCO/MMDF/2.43.3b/usr/lib/sendmail `perl -e 'print "A" x 3000'`
Memory fault - core dumped
This problem makes it possible to overwrite memory space of the running
process,
and potentially execute code with the inherited privileges of the mmdf
subsystem.
uid=17(mmdf) gid=22(mmdf) groups=22(mmdf)
.: Workaround
chmod -s /opt/K/SCO/MMDF/2.43.3b/usr/lib/sendmail
upgrade to a newer version of MMDF.
.: Systems Affected
SCO OpenServer 5.0.6 upgrade from 5.0.x and 5.0.6 fresh install.
.: Proof of Concept
To be released at a later time. Existing 5.0.x sendmail exploits may be valid.
.: Vendor Status
Vendor was notified on 03/22/01. Vendor lab tests confirmed the issue. Patch
status is unknown.
.: References
Original SCO advisory
ftp://ftp.sco.com/SSE/security_bulletins/SB-00.06a
.: Credit
Kevin Finisterre
dotslash@snosoft.com, krfinisterre@checkfree.com
======================================================================
©Copyright 2001 Secure Network Operations , Inc. All Rights Reserved.
Strategic Reconnaissance Team | recon@snosoft.com
http://recon.snosoft.com | http://www.snosoft.com
----------------------------------------------------------------------
|
|
