[UNIX] HPUX rexec Buffer Overflow Vulnerability

• Previous message: SecuriTeam: "[NT] MDaemon SMTP/POP/IMAP Server DELE and UIDL DoS (Negative Value)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 30 Apr 2003 11:27:58 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

In the US?

Contact Beyond Security at our new California office
housewarming rates on automated network vulnerability
scanning. We also welcome ISPs and other resellers!

Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
- - - - - - - - -

  HPUX rexec Buffer Overflow Vulnerability
------------------------------------------------------------------------

SUMMARY

The rexec command works the same as remsh except that it uses the rexec()
library routine and rexecd for command execution and does not support
Kerberos authentication. One of the parameters rexec tool receives allows
attackers to cause a buffer to overflow.

DETAILS

Rexec uses the "-l" option to specify a different remote username.

$ ls -al rexec
 -r-sr-xr-x 1 root bin 20480 Oct 27 1997 rexec

Using rexec with "-l" with a long option string:

$ rexec 127.0.0.1 -l `perl -e 'printf "A" x 9777'` -n something
Memory fault

Solution:
Davide is in contact with HP's Security staff, especially with John
Morris, and Davide would like to thanks him and all his staff for the
interest demonstrated during this period of research on HP-UX. He assured
Davide, a patch has been written, and an Official Security Bulletin will
follow Davide's advisory.

ADDITIONAL INFORMATION

The information has been provided by <mailto:dante@alighieri.org> Davide
Del Vecchio.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NT] MDaemon SMTP/POP/IMAP Server DELE and UIDL DoS (Negative Value)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages [UNIX] HPUX dtprintinfo Buffer Overflow Vulnerability ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... Davide is in contact with HP's Security staff, ... The information in this bulletin is provided "AS IS" without warranty of any kind. ... (Securiteam) [NEWS] Undocumented Account Vulnerability in Avaya P550R/P580/P880/P882 Switches ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Two undocumented accounts with default passwords allow access via telnet ... * Avaya Cajun P580 software version 5.3.0 ... (Securiteam) [Full-Disclosure] [OpenPKG-SA-2003.048] OpenPKG Security Advisory (postgresql) ... This is an update for the OpenPKG security advisory ... The package postgresql-7.3.1-1.2.4 accompanying this ... (Full-Disclosure) [OpenPKG-SA-2003.048] OpenPKG Security Advisory (postgresql) ... This is an update for the OpenPKG security advisory ... The package postgresql-7.3.1-1.2.4 accompanying this ... (Bugtraq) Re: [Full-Disclosure] Gmail Information Disclosure Vulnerability ... >> It's about posting security advisories. ... > in BETA stage. ... > to the gmail team all bugs AND security holes we may find. ... > list or elsewhere are NOT considered 'Security Advisory' for me. ... (Full-Disclosure)