 | ||||||
| << Previous | INDEX | Search | src | Set bookmark | Go to bookmark | Next >> |
| ||||||
| |||||||||||||||||||||
From: SecuriTeam <support@securiteam.com.> To: list@securiteam.com Date: 31 Oct 2005 09:01:14 +0200 Subject: [UNIX] SCO Multiple Local Buffer Overflow Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <20051031075814.8CD9B57A7@mail.tyumen.ru.> X-Virus-Scanned: antivirus-gw at tyumen.ru The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com - - promotion The SecuriTeam alerts list - Free, Accurate, Independent. Get your security news from a reliable source. http://www.securiteam.com/mailinglist.html - - - - - - - - - SCO Multiple Local Buffer Overflow ------------------------------------------------------------------------ SUMMARY " <http://www.sco.com/products/unixware714/>; SCO UnixWare is a UNIX operating system." " <http://www.sco.com/products/openserver6/>; SCO OpenServer is a UNIX-like operating system for x86 platforms." Lack of proper length validation in SCO Unixware and Openserver based products allow local attackers to execute arbitrary code with elevated privileges. DETAILS Vulnerable Systems: * SCO Unixware version 7.1.3 * SCO Unixware version 7.1.4 * SCO Openserver version 5.0.7 Unixware Setuid ppp prompt Buffer Overflow: Local exploitation of a buffer overflow vulnerability in the ppp binary, as included in Unixware, allows attackers to gain root privileges. The vulnerability specifically exists because of a failure to check the length of user input. If the user running the ppp program enters an argument to the "prompt" or "defprompt" command that exceeds 256 bytes in length, a stack based overflow occurs. This leads to the execution of arbitrary code with root privileges, as ppp is setuid root by default. Successful exploitation of this vulnerability requires that user have local access to the system; it would allow the user to gain superuser privileges. Workaround: As a workaround solution, remove the setuid bit from the backupsh binary until a vendor patch can be applied. # chmod u-s /usr/bin/ppp Openserver authsh 'Home' Buffer Overflow: Local exploitation of a buffer overflow vulnerability in Openserver operating system could allow an attacker to gain root privileges. The authsh utility is a standard binary distributed with the Openserver platform. The vulnerability specifically exists because of a lack of bounds checking on the value given to the "HOME" environment variable. Local attackers can supply a specially crafted string to overflow a stack buffer and execute arbitrary code with group auth privileges. Successful exploitation of this vulnerability will result in execution of arbitrary code with permissions of the running process. The binary is setgid auth by default and can be used by attackers with a local account to gain root privileges, as the group auth has write access to system authentication information. An attacker would only need to modify the system passwd file to grant an account they control superuser privileges. Workaround: As a workaround solution, remove the setgid bit from the authsh binary until a vendor patch can be applied. # chmod -g /opt/K/SCO/Unix/5.0.7Hw/usr/lib/sysadm/authsh backupsh 'Home' Buffer Overflow: Local exploitation of a buffer overflow vulnerability Openserver operating system could allow an attacker to gain access to the backup group. The backupsh utility is a standard binary distributed with the Openserver platform. The vulnerability specifically exists because of a lack of bounds checking on the value given to the "HOME" environment variable. Local attackers can supply a specially crafted string to overflow a stack buffer and execute arbitrary code with group backup privileges. Successful exploitation of this vulnerability will result in execution of arbitrary code with permissions of the running process. The binary is setgid backup by default and can be used by attackers with a local account to gain backup privileges. Workaround: As a workaround solution, remove the setgid bit from the backupsh binary until a vendor patch can be applied. # chmod g-s /opt/K/SCO/Unix/5.0.7Hw/usr/lib/sysadm/backupsh CVE Information: <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2926>; CVE-2005-2926 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2927>; CVE-2005-2927 Disclosure Timeline: 09/08/2005 - Initial vendor notification 09/09/2005 - Initial vendor response 10/24/2005 - Public disclosure ADDITIONAL INFORMATION The information has been provided by <mailto:idlabs-advisories@lists.idefense.com.> iDEFENSE Labs. The original article can be found at: <http://www.idefense.com/application/poi/display?id=326&type=vulnerabilities>; http://www.idefense.com/application/poi/display?id=326&type=vulnerabilities, <http://www.idefense.com/application/poi/display?id=327&type=vulnerabilities>; http://www.idefense.com/application/poi/display?id=327&type=vulnerabilities, <http://www.idefense.com/application/poi/display?id=328&type=vulnerabilities>; http://www.idefense.com/application/poi/display?id=328&type=vulnerabilities The vendor advisory can be found at: <ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2005.40/SCOSA-2005.40.txt>; ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2005.40/SCOSA-2005.40.txt, <ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.41/SCOSA-2005.41.txt>; ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.41/SCOSA-2005.41.txt
This bulletin is sent to members of the SecuriTeam mailing list. To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
DISCLAIMER: The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
| |||||||||||||||||||||
|
|
|
