[UNIX] Sun Microsystems Solaris srsexec Format String Vulnerability
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 5 Nov 2007 19:05:25 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
- - - - - - - - -
Sun Microsystems Solaris srsexec Format String Vulnerability
The <http://www.sun.com/service/netconnect/> srsexec utility is part of
the SRS Proxy Core package that is available with Solaris 10. This package
is used to monitor the performance of clients running Solaris from a
centralized administrative console. This software would be installed on
all of the client machines being monitored and is set-uid root by default.
Local exploitation of a format string vulnerability in the srsexec binary,
optionally included in Sun Microsystems Inc.'s Solaris 10, allows
attackers to execute arbitrary code with root privileges.
* Solaris 10 with the SUNWsrspx package
The vulnerability exists since attacker supplied data is passed directly
to the syslog() function as the format string. This allows an attacker to
overwrite arbitrary memory with arbitrary data, and can result in the
execution of arbitrary code with root privileges.
Exploitation results in the execution of arbitrary code with root
privileges. In order to exploit this vulnerability, an attacker must have
the ability to execute the set-uid root binary.
The SRS Proxy Core package is not installed by default, but it is a common
To prevent exploitation of this vulnerability, remove the set-uid bit from
the srsexec binary as shown below.
# chmod -s /opt/SUNWsrspx/bin/srsexec
Sun Microsystems has addressed this vulnerability by releasing patches.
For more information, consult Sun Alert 103119 at the following URL:
07/18/2007 - Initial vendor notification
07/18/2007 - Initial vendor response
11/02/2007 - Public disclosure
The information has been provided by
<mailto:idlabs-advisories@xxxxxxxxxxxx> iDefense Labs Security Advisories.
The original article can be found at:
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [NT] ACDSee Products Image and Archive Plug-ins Buffer Overflows
- Next by Date: [NEWS] Apple QuickTime Panorama Sample Atom Heap Buffer Overflow Vulnerability
- Previous by thread: [NT] ACDSee Products Image and Archive Plug-ins Buffer Overflows
- Next by thread: [NEWS] Apple QuickTime Panorama Sample Atom Heap Buffer Overflow Vulnerability