[UNIX] CDE LibDtHelp LOGNAME Buffer Overflow Vulnerability

From: SecuriTeam (support_at_securiteam.com)
Date: 08/26/04

  • Next message: SecuriTeam: "[NEWS] Cisco Telnet DoS Vulnerability" 
    To: list@securiteam.com
Date: 26 Aug 2004 14:05:55 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      CDE LibDtHelp LOGNAME Buffer Overflow Vulnerability
    ------------------------------------------------------------------------

    SUMMARY

    The libDtHelp library is a core component of the Common Desktop
    Environment (CDE). It provides the help subsystem used by most CDE
    applications.

    Exploitation of a buffer overflow in the libDtHelp library included with
    CDE can allow local attackers to gain root privileges.

    DETAILS

    Vulnerable Systems:
     * Solaris 8/9 without the patches found in Sun Alert 57414

    Immune Systems:
     * Solaris 8/9 patched with Sun Alert 57414

    Description:
    The vulnerability specifically exists due to a lack of bounds checking on
    the LOGNAME environment variable. Local attackers can specify a long
    LOGNAME to trigger a buffer overflow in any application linked with
    libDtHelp. The overflow is activated once the help subsystem is accessed
    by selecting any option under the Help menu.

    This vulnerability occurs in the same sequence of code as the previously
    disclosed <http://www.securiteam.com/exploits/2KUQ1Q0RPI.html>
    DTSEARCHPATH and <http://www.kb.cert.org/vuls/id/575804> DTUSERSEARCHPATH
    vulnerabilities, described in CAN-2003-0834. However, the LOGNAME
    environment variable was not reported as a method of attack in related
    advisories.

    Analysis:
    Successful exploitation leads to root level access. CDE is a widely
    deployed default desktop environment for UNIX operating systems. Depending
    on the function of the machine, this vulnerability could lead to exposure
    of highly sensitive data. The vulnerability is easily exploitable even
    when stack protections are enabled, furthering the impact of exposure.

    Workaround:
    If possible, remove the setuid bit from all applications linked to
    libDtHelp. The command 'ldd' will display libraries linked with the
    specified executable.

    Vendor Status:
    Sun successfully addressed this issue with the patches described in Sun
    Alert 57414. Specific vendor advisories addressing CAN-2003-0834 are
    available in US-CERT Vulnerability Note VU#575804 (
    <http://www.kb.cert.org/vuls/id/575804>
    http://www.kb.cert.org/vuls/id/575804). It is believed that other vendor
    patches for CAN-2003-0834 will protect against this new attack vector.

    CVE Information:
     <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0834>
    CAN-2003-0834

    ADDITIONAL INFORMATION

    The information has been provided by
    <mailto:idlabs-advisories@idefense.com> iDEFENSE Labs.
    The original article can be found at:
    <www.idefense.com/application/poi/display?id=134&type=vulnerabilities>
    www.idefense.com/application/poi/display?id=134&type=vulnerabilities

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NEWS] Cisco Telnet DoS Vulnerability"

    Relevant Pages