[UNIX] Slrnpull Buffer Overflow (-d Parameter)
From: support@securiteam.comDate: 04/22/02
- Previous message: support@securiteam.com: "[UNIX] AFS/Kerberos Support in OpenSSH Poses a Security Threat"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Mon, 22 Apr 2002 22:11:21 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Slrnpull Buffer Overflow (-d Parameter)
------------------------------------------------------------------------
SUMMARY
<http://www.bebits.com/app/840> Slrnpull is used for pulling of news
posts from NNTP news server, enabling "slrn" to be used as offline
newsreader. A security vulnerability in the product allows local attackers
to cause it to execute arbitrary code by overflowing an internal buffer.
DETAILS
Vulnerable systems:
Linux RedHat version 6.2 (Sparc64) and below (On SPARC platform, it is
configured to have the setgid root attribute)
A security vulnerability in the slrnpull allows local users to overflow
one of the parameter (-d) and cause the application to execute arbitrary
code and since the program is setuid root, elevated privileges can be
gained.
Example:
[alex@Lab /tmp]$ ls -la /usr/bin/slrnpull
-rwxr-sx-- 1 news news 48688 Feb 7 2000 /usr/bin/slrnpull
[alex@Lab /tmp]$ /usr/bin/slrnpull -d `perl -e 'print "A" x 4091'`
04/01/2002 22:23:11 ***File name too long.
04/01/2002 22:23:11 slrnpull started.
Segmentation fault
Workaround:
Temporarily remove the suid root or sgid root attribute of slrnpull:
# chmod a-s /usr/bin/slrnpull
ADDITIONAL INFORMATION
The information has been provided by <mailto:alex_hernandez@ureach.com>
Alex Hernandez.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[UNIX] AFS/Kerberos Support in OpenSSH Poses a Security Threat"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
