Date: Wed, 20 Mar 2002 15:12:33 -0800
From: security@caldera.com
To: bugtraq@securityfocus.com, announce@lists.caldera.com,
Subject: Security Update: [CSSA-2002-SCO.12] Open UNIX, UnixWare 7: rpc.cmsd can be remotely exploited
--ReaqsoxgOBHFXBhH
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
To: bugtraq@securityfocus.com announce@lists.caldera.com scoannmod@xenitec.=
on.ca
___________________________________________________________________________
Caldera International, Inc. Security Advisory
Subject: Open UNIX, UnixWare 7: rpc.cmsd can be remotely exploited
Advisory number: CSSA-2002-SCO.12
Issue date: 2002 March 20
Cross reference:
___________________________________________________________________________
1. Problem Description
=09
1.1 Overview
The rpc.cmsd command would overflow a buffer under certain
circumstances, allowing the possibility of a remote user to
gain privilege.
1.2 Detail
=20
The exploit code provided by jGgM requests program 100068
version 4 on UDP (implemented by /usr/dt/bin/rpc.cmsd) and
then does a single RPC call to procedure 21 (rtable_create)
passing 2 strings, one of which creates a buffer overflow.
$BASE/server/rtable4.c:_DtCm_rtable_create_4_svc(args) where
args is of type Table_Op_Args_4: 2 client supplied strings as
args->target and args->new_target. "new_target" is never used
and "target" creates the overflow later on.
_DtCmGetPrefix will overflow its local variable "buf" if the
"sep" parameter that ends the prefix is not present.
A secondary problem may also occur because
_DtCm_rtable_create_4_svc does not make sure that the length
of args->target is < BUFSIZ.
2. Vulnerable Supported Versions
Operating System Version Affected Files
------------------------------------------------------------------
UnixWare 7 7.1.1 /usr/dt/bin/rpc.cmsd
Open UNIX 8.0.0 /usr/dt/bin/rpc.cmsd
3. Workaround
None.
4. UnixWare 7, Open UNIX 8
4.1 Location of Fixed Binaries
ftp://stage.caldera.com/pub/security/openunix/CSSA-2002-SCO.12/
4.2 Verification
MD5 (erg711942b.Z) =3D 64d49dcd622cccbb2e7553e2706bc33d
md5 is available for download from
ftp://stage.caldera.com/pub/security/tools/
4.3 Installing Fixed Binaries
Upgrade the affected binaries with the following commands:
Download erg711942b.Z to the /var/spool/pkg directory
# uncompress /var/spool/pkg/erg711942b.Z
# pkgadd -d /var/spool/pkg/erg711942b
5. References
Specific references for this advisory:
none
Caldera UNIX security resources:
http://stage.caldera.com/support/security/
=20
Caldera OpenLinux security resources:
http://www.caldera.com/support/security/index.html
This advisory addresses Caldera Security internal incidents
sr858623, fz519829, erg711942.
6. Disclaimer
Caldera International, Inc. is not responsible for the misuse
of any of the information we provide on our website and/or
through our security advisories. Our advisories are a service
to our customers intended to promote secure installation and
use of Caldera International products.
7. Acknowledgements
This vulnerability was discovered and researched by jGgM
<jggm@mail.com>.
=20
___________________________________________________________________________
--ReaqsoxgOBHFXBhH
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (SCO_SV)
Comment: For info see http://www.gnupg.org
iEUEARECAAYFAjyZF2EACgkQaqoBO7ipriFSbQCgrUwm8ym4nKLyHfc25YRZAjwz
9a8AmJQ7jnggajEQ+zGyftfYJcfQio0=
=ODbR
-----END PGP SIGNATURE-----
--ReaqsoxgOBHFXBhH--
