[UNIX] Buffer Overflow Vulnerability in Action Argument of dtaction

From: support@securiteam.com
Date: 10/24/01 

From: support@securiteam.com
To: list@securiteam.com
Subject: [UNIX] Buffer Overflow Vulnerability in Action Argument of dtaction
Message-Id: <20011024090616.BFC96138BF@mail.der-keiler.de>
Date: Wed, 24 Oct 2001 11:06:16 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Buffer Overflow Vulnerability in Action Argument of dtaction
------------------------------------------------------------------------

SUMMARY

The dtaction utility allows applications or shell scripts, which are
otherwise not connected into the CDE development environment, to invoke
action requests. The action called action_name is invoked with the
action_arg provided on the command line. A single action_name is required;
the user may provide any number of action_args. Whereas the buffer
overflow is occurred when an action_arg has more than 1023 characters.

DETAILS

Vulnerable systems:
SunOS 5.8 (x86)
SunOS 5.6 (Sparc)

It is possible to confirm the buffer overflow vulnerability of action_arg
in /usr/dt/bin/dtaction by following this procedure:

$ DISPLAY="127.0.0.1:0.0"
$ export DISPLAY
$ /usr/dt/bin/dtaction foo `perl -e 'print "A"x1023'`
Segmentation Fault
$ ls -l /usr/dt/bin/dtaction
-r-sr-sr-x 1 root sys 22496 Dec 2 1999 /usr/dt/bin/dtaction
$ uname -svrm
SunOS 5.8 Generic_108529-10 i86pc

Workaround:
If root suid or sys setgid permission is not needed, remove suid and
setgid bits.

ADDITIONAL INFORMATION

The information has been provided by <mailto:bknight@iland.co.kr>
bknight.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages