(Vendor Issued a Fix) Re: SAS Job Spawner Buffer Overflow and Format String Bug Let Local Users Execute Arbitrary Code on the System with Root Privileges and Gain Root Privileges on the System
|
|
SecurityTracker Alert ID: 1003396 |
|
SecurityTracker URL: http://securitytracker.com/id/1003396
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jan 30 2002
|
Impact:
Execution of arbitrary code via local system, Root access via local system
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): SAS 8.0 and 8.1
|
Description:
Ministry-of-Peace reported a buffer overflow and format string vulnerability in the SAS Job Spawner (sastcpd). A local user can obtain root privileges on the system.
It is reported that sastcpd is installed with set user id (setuid) 'root' privileges by default. So, a local user can cause arbitrary code to be executed with root privileges, giving that user root access on the system.
The vendor reports that sites that have installed either of the SAS spawner programs "sastcpd" or "objspawn" may be affected. The potential for a security breach reportedly exists only if either the sastcpd or the objspawn executable (which would be installed in the !SASROOT/utilities/bin directory) has the following file ownership and permission settings:
-rwsr-xr-x 1 root techsup 304001 Apr 26 2000 objspawn
-rwsr-xr-x 1 root techsup 73925 Apr 26 2000 sastcpd
If either the permissions or the ownership of the files are different from these, the vendor reports that there is no exposure.
|
Impact:
A local user can execute arbitrary code on the system with root level privileges, giving that user root access on the system.
|
Solution:
The vendor has issued a fix (in February 2001) and provided the following notice:
"For customers who wish to have the convenience of being able to launch these spawners without having to log in as root the following hotfix is available for download. It has been repaired so that it doesn't have the security exposure.
A Technical Support hot fix for Version 8 TSLEVEL M0 and Release 8.1 TSLEVEL 1M0 for this problem is available at:
http://ftp.sas.com/techsup/download/hotfix/v81/base/81ba28/81ba28.html
The same hot fix can be applied to both releases.
This problem is corrected in Release 8.2 TSLEVEL 2M0 and beyond."
See the vendor's technical note at:
www.sas.com/service/techsup/unotes/SN/004/004201.html
|
Vendor URL: www.sas.com/service/techsup/unotes/SN/004/004201.html (Links to External Site)
|
Cause:
Boundary error, Input validation error
|
Underlying OS:
Linux (Any), UNIX (Any)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Tue, 29 Jan 2002 10:54:38 -0700 (MST)
Subject: Re: sastcpd Buffer Overflow and Format String Vulnerabilities
|
> "SAS software provides the foundation, tools, and
> solutions for data analysis, report generation,
> and enterprise-wide information delivery."
>
> The "SAS Job Spawner", sastcpd, contains both a buffer
> overflow and a format string vulnerability.
>
> SAS Support say that these problems were fixed in version
> 8.2 of this product, but we are unable to confirm as we
> do not have access to this version.
This problem appears to be addressed by the following product note:
http://www.sas.com/service/techsup/unotes/SN/004/004201.html
Some additional information Digital Shadow neglected to include:
sastcpd is part of the SAS/Base component. Although I neither work for
SAS, nor do I use their product on a regular basis, I'd assume this means
the scope of exposure is broad.
Additionally, it appears that the objspawn program included with the
SAS/Integration Technologies product is also vulnerable to these bugs.
objspawn is also a setuid root executable by default. See the above link
for more information.
Cheers,
ellipse
|
|
