Caldera OpenUnix8 Overflows (reject, lpsystem, su)

From: KF (dotslash@snosoft.com)
Date: 07/23/01 

Message-ID: <3B5BE825.E6C81061@snosoft.com>
Date: Mon, 23 Jul 2001 05:02:29 -0400
From: KF <dotslash@snosoft.com>
To: vuln-dev@securityfocus.com, tigger@caldera.com
Subject: Caldera OpenUnix8 Overflows (reject, lpsystem, su)

I contacted Caldera (SCO) about some local overflows in a few binaries
that came default with my install of OpenUnix8... Here is a snippet
of the email dialog between us. Due to the lack of access to the machine
and lack of a good debugger on the system, I have not had time to put
any
further research time in. If anyone else has access to this fairly new
OS
feedback would be appreciated. Sorry for the lack of info on this
subject.
-KF

>tigger@caldera.com wrote:
>
> To: dotslash@snosoft.com
>
> Hi,
>
> We've heard that you have found some suid overflows in OU8. In
> particular, su was mentioned. We've fixed several problems with this
> command, but it didn't fully get fixed until OU8 FCS. Are you certain
> that you are not testing this on Beta?

Not unless you mailed me beta media when I purchased it last week. =]
basics of the issues are

/bin/su and /sbin/su are not the same file and they both suffer the
same overflow. They differ in size to say the least.

TERM=`perl -e 'print "A" x 7000'`
su -
core dump

or TERMINFO=long string
TERM=semilong string
su - nobody
core dump

/usr/sbin/reject `perl -e 'print "A" x 7000'`
core dump

/usr/sbin/lpsystem `perl -e 'print "A" x 7000'`
core dump

-KF

Relevant Pages

  • Re: [SH BASH] Echoing no more than X chars per line
    ... I forgot that my newsreader was set to automatically set to break lines ... longer than 76 chars, and used many s... ... > But many times, in a sh script, there is a need to echo out a string ... > overflows to the next line, with words broken up, etc. ...
    (comp.unix.shell)
  • [SH BASH] Echoing no more than X chars per line
    ... In most terminals a line can hold up to 80 chars. ... and if shell variables are included in the string, ... overflows to the next line, with words broken up, etc. ...
    (comp.unix.shell)
  • Re: Question about the clc string lib
    ... Jordan Abel wrote: ... >> Jeff wrote: ... >> if s is of such a length that it overflows a size_t (on my system that's ... But if the most you can allocate is SIZE_MAX, then your string can only ...
    (comp.lang.c)
  • Re: type case
    ... Convert.ToInt32 can take various types, including string, in which case ... it parses the string. ... It will also always detect overflows. ... Casting will generally be faster where it's available. ...
    (microsoft.public.dotnet.languages.csharp)