[UNIX] SCO Multiple Local Buffer Overflow

• Previous message: SecuriTeam: "[EXPL] Hasbani WindWeb DoS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 31 Oct 2005 09:01:14 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  SCO Multiple Local Buffer Overflow
------------------------------------------------------------------------

SUMMARY

" <http://www.sco.com/products/unixware714/> SCO UnixWare is a UNIX
operating system." " <http://www.sco.com/products/openserver6/> SCO
OpenServer is a UNIX-like operating system for x86 platforms."

Lack of proper length validation in SCO Unixware and Openserver based
products allow local attackers to execute arbitrary code with elevated
privileges.

DETAILS

Vulnerable Systems:
 * SCO Unixware version 7.1.3
 * SCO Unixware version 7.1.4
 * SCO Openserver version 5.0.7

Unixware Setuid ppp prompt Buffer Overflow:
Local exploitation of a buffer overflow vulnerability in the ppp binary,
as included in Unixware, allows attackers to gain root privileges.

The vulnerability specifically exists because of a failure to check the
length of user input. If the user running the ppp program enters an
argument to the "prompt" or "defprompt" command that exceeds 256 bytes in
length, a stack based overflow occurs. This leads to the execution of
arbitrary code with root privileges, as ppp is setuid root by default.

Successful exploitation of this vulnerability requires that user have
local access to the system; it would allow the user to gain superuser
privileges.

Workaround:
As a workaround solution, remove the setuid bit from the backupsh binary
until a vendor patch can be applied.
  # chmod u-s /usr/bin/ppp

Openserver authsh 'Home' Buffer Overflow:
Local exploitation of a buffer overflow vulnerability in Openserver
operating system could allow an attacker to gain root privileges.

The authsh utility is a standard binary distributed with the Openserver
platform. The vulnerability specifically exists because of a lack of
bounds checking on the value given to the "HOME" environment variable.
Local attackers can supply a specially crafted string to overflow a stack
buffer and execute arbitrary code with group auth privileges.

Successful exploitation of this vulnerability will result in execution of
arbitrary code with permissions of the running process. The binary is
setgid auth by default and can be used by attackers with a local account
to gain root privileges, as the group auth has write access to system
authentication information. An attacker would only need to modify the
system passwd file to grant an account they control superuser privileges.

Workaround:
As a workaround solution, remove the setgid bit from the authsh binary
until a vendor patch can be applied.
  # chmod -g /opt/K/SCO/Unix/5.0.7Hw/usr/lib/sysadm/authsh

backupsh 'Home' Buffer Overflow:
Local exploitation of a buffer overflow vulnerability Openserver operating
system could allow an attacker to gain access to the backup group.

The backupsh utility is a standard binary distributed with the Openserver
platform. The vulnerability specifically exists because of a lack of
bounds checking on the value given to the "HOME" environment variable.
Local attackers can supply a specially crafted string to overflow a stack
buffer and execute arbitrary code with group backup privileges.

Successful exploitation of this vulnerability will result in execution of
arbitrary code with permissions of the running process. The binary is
setgid backup by default and can be used by attackers with a local account
to gain backup privileges.

Workaround:
As a workaround solution, remove the setgid bit from the backupsh binary
until a vendor patch can be applied.
  # chmod g-s /opt/K/SCO/Unix/5.0.7Hw/usr/lib/sysadm/backupsh

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2926>
CVE-2005-2926
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2927>
CVE-2005-2927

Disclosure Timeline:
09/08/2005 - Initial vendor notification
09/09/2005 - Initial vendor response
10/24/2005 - Public disclosure

ADDITIONAL INFORMATION

The information has been provided by
<mailto:idlabs-advisories@lists.idefense.com> iDEFENSE Labs.
The original article can be found at:
<http://www.idefense.com/application/poi/display?id=326&type=vulnerabilities> http://www.idefense.com/application/poi/display?id=326&type=vulnerabilities,
 
<http://www.idefense.com/application/poi/display?id=327&type=vulnerabilities> http://www.idefense.com/application/poi/display?id=327&type=vulnerabilities,
 
<http://www.idefense.com/application/poi/display?id=328&type=vulnerabilities> http://www.idefense.com/application/poi/display?id=328&type=vulnerabilities
The vendor advisory can be found at:
<ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2005.40/SCOSA-2005.40.txt>
ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2005.40/SCOSA-2005.40.txt,
 <ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.41/SCOSA-2005.41.txt>
ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.41/SCOSA-2005.41.txt

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[EXPL] Hasbani WindWeb DoS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]