sastcpd 8.0 'authprog' local root vulnerability
From: rpc (rpc@unholy.net)Date: 01/31/02
- Previous message: Root Extractor: "[ WWWThreads, UBBThreads ] Security Hole in upload system"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 30 Jan 2002 22:40:58 -0800 From: rpc <rpc@unholy.net> To: bugtraq@securityfocus.com
Hi,
Several environment variable problems exist in the 'SAS Job Spawner for Open Systems version 8.00'. No other releases of the software were available to test. Sorry.
authprog vulnerability
----------------------
The daemon passes a user-defined environment variable, 'authprog', to execve(). This obviously is a problem if sastcpd is setuid. A sample 'exploit' is attached.
netencralg vulnerability
------------------------
I haven't poked at this long enough to determine whether or not it is exploitable. sastcpd segfaults if 'netencralg' is set to any value.
All test were run on SunOS 5.8.
Both vulnerabilities were discovered with Dave Aitel's/AtStake simple-yet-sexy sharefuzz 1.0.
cheers,
--rpc
- text/x-sh attachment: authme.sh
- application/pgp-signature attachment: stored
- Previous message: Root Extractor: "[ WWWThreads, UBBThreads ] Security Hole in upload system"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
