[UNIX] Sun Microsystems Solaris srsexec Format String Vulnerability



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Sun Microsystems Solaris srsexec Format String Vulnerability
------------------------------------------------------------------------


SUMMARY

The <http://www.sun.com/service/netconnect/> srsexec utility is part of
the SRS Proxy Core package that is available with Solaris 10. This package
is used to monitor the performance of clients running Solaris from a
centralized administrative console. This software would be installed on
all of the client machines being monitored and is set-uid root by default.
Local exploitation of a format string vulnerability in the srsexec binary,
optionally included in Sun Microsystems Inc.'s Solaris 10, allows
attackers to execute arbitrary code with root privileges.

DETAILS

Vulnerable Systems:
* Solaris 10 with the SUNWsrspx package

The vulnerability exists since attacker supplied data is passed directly
to the syslog() function as the format string. This allows an attacker to
overwrite arbitrary memory with arbitrary data, and can result in the
execution of arbitrary code with root privileges.

Analysis:
Exploitation results in the execution of arbitrary code with root
privileges. In order to exploit this vulnerability, an attacker must have
the ability to execute the set-uid root binary.

The SRS Proxy Core package is not installed by default, but it is a common
application.

Workaround:
To prevent exploitation of this vulnerability, remove the set-uid bit from
the srsexec binary as shown below.

# chmod -s /opt/SUNWsrspx/bin/srsexec

Vendor response:
Sun Microsystems has addressed this vulnerability by releasing patches.
For more information, consult Sun Alert 103119 at the following URL:
<http://sunsolve.sun.com/search/document.do?assetkey=1-26-103119-1>
http://sunsolve.sun.com/search/document.do?assetkey=1-26-103119-1

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3880>
CVE-2007-3880

Disclosure timeline:
07/18/2007 - Initial vendor notification
07/18/2007 - Initial vendor response
11/02/2007 - Public disclosure


ADDITIONAL INFORMATION

The information has been provided by
<mailto:idlabs-advisories@xxxxxxxxxxxx> iDefense Labs Security Advisories.
The original article can be found at:
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=610>
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=610



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • [UNIX] Sun Microsystems Solaris ld.so Directory Traversal Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Sun Microsystems Solaris ld.so Directory Traversal Vulnerability ... potentially allow a non root user to execute arbitrary code as root. ... This message file is meant to contain format strings used to build error ...
    (Securiteam)
  • [UNIX] Trend Micro VirusWall Buffer Overflow in VSAPI Library
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... buffer overflow vulnerability in VSAPI library allows arbitrary code ... is called "vscan" which is set suid root by default. ... permissions and thus granted all local users the privilege to execute the ...
    (Securiteam)
  • [NEWS] Mozilla Thunderbird MIME External-Body Heap Overflow Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Mozilla Thunderbird MIME External-Body Heap Overflow Vulnerability ... Thunderbird could allow an attacker to execute arbitrary code with the ...
    (Securiteam)
  • [UNIX] SCO Multiple Local Buffer Overflow
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Local exploitation of a buffer overflow vulnerability in the ppp binary, ... allows attackers to gain root privileges. ...
    (Securiteam)
  • [NEWS] Adobe Acrobat And Reader AcroJS Heap Corruption Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Adobe Acrobat And Reader AcroJS Heap Corruption Vulnerability ... Adobe Reader is "a program for viewing Portable Document Format ... memory in such a way that may lead to the execution of arbitrary code. ...
    (Securiteam)