Bugtraq mailing list archives

SCO 5.0.6 issues (lpusers)

From: "Secure Network Operations , Inc." <recon () SNOSOFT COM>
Date: Tue, 27 Mar 2001 13:37:20 +0100

======================================================================
Strategic Reconnaissance Team Security Advisory(SRT2001-05)
Topic: SCO 5.0.6 issues (lpusers)
Vendor: SCO
Release Date: 03/27/01
======================================================================
.: Description

SCO OpenServer 5.0.6 ships with suid bin/opt/K/SCO/Unix/5.0.6Ga/usr/lib/lpusers.lpusers has poor handling of command line arguments resulting in a bufferoverflow.

lpusers will core dump if fed more than 670 chars.

.: Impact
/opt/K/SCO/Unix/5.0.6Ga/usr/lib/lpusers -u `perl -e 'print "A" x 700'`
Memory fault - core dumped

This problem makes it possible to overwrite memory space of the runningprocess,

and potentially execute code with the inherited privileges of bin.

.: Workaround
chmod -s /opt/K/SCO/Unix/5.0.6Ga/usr/lib/lpusers

.: Systems Affected
SCO OpenServer 5.0.6 upgrade from 5.0.x and 5.0.6 fresh install.

.: Proof of Concept
To be released at a later time.

.: Vendor Status
Vendor was notified on 03/22/01. Vendor lab tests confirmed the issue. Patch
status is unknown.

.: Credit
Kevin Finisterre
dotslash () snosoft com, krfinisterre () checkfree com

======================================================================
©Copyright 2001 Secure Network Operations , Inc.  All Rights Reserved.
Strategic Reconnaissance Team | recon () snosoft com
http://recon.snosoft.com     | http://www.snosoft.com
----------------------------------------------------------------------

Current thread:

SCO 5.0.6 issues (lpusers) Secure Network Operations , Inc. (Mar 27)