Bugtraq mailing list archives
SCO 5.0.6 issues (lpusers)
From: "Secure Network Operations , Inc." <recon () SNOSOFT COM>
Date: Tue, 27 Mar 2001 13:37:20 +0100
====================================================================== Strategic Reconnaissance Team Security Advisory(SRT2001-05) Topic: SCO 5.0.6 issues (lpusers) Vendor: SCO Release Date: 03/27/01 ====================================================================== .: DescriptionSCO OpenServer 5.0.6 ships with suid bin /opt/K/SCO/Unix/5.0.6Ga/usr/lib/lpusers. lpusers has poor handling of command line arguments resulting in a buffer overflow.
lpusers will core dump if fed more than 670 chars. .: Impact /opt/K/SCO/Unix/5.0.6Ga/usr/lib/lpusers -u `perl -e 'print "A" x 700'` Memory fault - core dumpedThis problem makes it possible to overwrite memory space of the running process,
and potentially execute code with the inherited privileges of bin. .: Workaround chmod -s /opt/K/SCO/Unix/5.0.6Ga/usr/lib/lpusers .: Systems Affected SCO OpenServer 5.0.6 upgrade from 5.0.x and 5.0.6 fresh install. .: Proof of Concept To be released at a later time. .: Vendor Status Vendor was notified on 03/22/01. Vendor lab tests confirmed the issue. Patch status is unknown. .: Credit Kevin Finisterre dotslash () snosoft com, krfinisterre () checkfree com ====================================================================== ©Copyright 2001 Secure Network Operations , Inc. All Rights Reserved. Strategic Reconnaissance Team | recon () snosoft com http://recon.snosoft.com | http://www.snosoft.com ----------------------------------------------------------------------
Current thread:
- SCO 5.0.6 issues (lpusers) Secure Network Operations , Inc. (Mar 27)