[UNIX] CDE LibDtHelp LOGNAME Buffer Overflow Vulnerability

• Previous message: SecuriTeam: "[UNIX] Music Daemon DoS and File Disclosure Vulnerabilities"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 26 Aug 2004 14:05:55 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  CDE LibDtHelp LOGNAME Buffer Overflow Vulnerability
------------------------------------------------------------------------

SUMMARY

The libDtHelp library is a core component of the Common Desktop
Environment (CDE). It provides the help subsystem used by most CDE
applications.

Exploitation of a buffer overflow in the libDtHelp library included with
CDE can allow local attackers to gain root privileges.

DETAILS

Vulnerable Systems:
 * Solaris 8/9 without the patches found in Sun Alert 57414

Immune Systems:
 * Solaris 8/9 patched with Sun Alert 57414

Description:
The vulnerability specifically exists due to a lack of bounds checking on
the LOGNAME environment variable. Local attackers can specify a long
LOGNAME to trigger a buffer overflow in any application linked with
libDtHelp. The overflow is activated once the help subsystem is accessed
by selecting any option under the Help menu.

This vulnerability occurs in the same sequence of code as the previously
disclosed <http://www.securiteam.com/exploits/2KUQ1Q0RPI.html>
DTSEARCHPATH and <http://www.kb.cert.org/vuls/id/575804> DTUSERSEARCHPATH
vulnerabilities, described in CAN-2003-0834. However, the LOGNAME
environment variable was not reported as a method of attack in related
advisories.

Analysis:
Successful exploitation leads to root level access. CDE is a widely
deployed default desktop environment for UNIX operating systems. Depending
on the function of the machine, this vulnerability could lead to exposure
of highly sensitive data. The vulnerability is easily exploitable even
when stack protections are enabled, furthering the impact of exposure.

Workaround:
If possible, remove the setuid bit from all applications linked to
libDtHelp. The command 'ldd' will display libraries linked with the
specified executable.

Vendor Status:
Sun successfully addressed this issue with the patches described in Sun
Alert 57414. Specific vendor advisories addressing CAN-2003-0834 are
available in US-CERT Vulnerability Note VU#575804 (
<http://www.kb.cert.org/vuls/id/575804>
http://www.kb.cert.org/vuls/id/575804). It is believed that other vendor
patches for CAN-2003-0834 will protect against this new attack vector.

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0834>
CAN-2003-0834

ADDITIONAL INFORMATION

The information has been provided by
<mailto:idlabs-advisories@idefense.com> iDEFENSE Labs.
The original article can be found at:
<www.idefense.com/application/poi/display?id=134&type=vulnerabilities>
www.idefense.com/application/poi/display?id=134&type=vulnerabilities

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[UNIX] Music Daemon DoS and File Disclosure Vulnerabilities"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]