(Vulnerability in MMDF/deliver) Re: SCO UNIX Contains Multiple Vulnerabilities That Allow Users to Crash Applications and May Allow Users to Execute Arbitrary Code on the Server
|
|
SecurityTracker Alert ID: 1001184 |
|
SecurityTracker URL: http://securitytracker.com/id/1001184
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Mar 28 2001
|
Impact:
Denial of service via local system, User access via local system
|
|
Version(s): SCO 5.0.6
|
Description:
Secure Network Operations Strategic Reconnaissance Team issued several advisories for vulnerabilities in SCO UNIX utilities and applications, including lpusers, lpshut, lpadmin, lpforms, recon, and sendmail.
It is reported that SCO OpenServer 5.0.6 ships with a known to be vulnerable MMDF package. According to the report, the vendor states that "Recently Network Associates, Inc. issued a SECURITY ADVISORY against all versions of MMDF prior to the beta release 2.44a-B4." However, SCO reportedly still released OpenServer 5.0.6 with version 2.43.3b of MMDF.
There is a buffer overflow in /opt/K/SCO/MMDF/2.43.3b/usr/mmdf/bin/deliver that will be triggered if the command is supplied with more than 4085 characters.
|
Impact:
A local user can cause the deliver application to crash and may be able to cause arbitrary code to be executed on the server with the inhereted root-level privileges.
|
Solution:
No solution was available at the time of this entry.
|
Vendor URL: www.sco.com (Links to External Site)
|
Cause:
Boundary error
|
Underlying OS:
UNIX (Open UNIX-SCO)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Tue, 27 Mar 2001 13:31:51 +0100
Subject: SCO 5.0.6 MMDF issues (deliver)
|
======================================================================
Strategic Reconnisiance Team Security Advisory(SRT2001-03)
Topic: SCO 5.0.6 MMDF issues (deliver)
Vendor: SCO
Release Date: 03/27/01
======================================================================
.: Description
SCO OpenServer 5.0.6 ships with a previously known buggy MMDF package.
SCO Security Bulletin 2000.06 states "Recently Network Associates, Inc.
issued a SECURITY ADVISORY against all versions of MMDF prior to the
beta release 2.44a-B4" however SCO still released OpenServer 5.0.6 with
version 2.43.3b of MMDF. deliver has poor processing of command line arguments
resulting in a buffer overflow /opt/K/SCO/MMDF/2.43.3b/usr/mmdf/bin/deliver
will core dump if fed more than 4085 chars.
.: Impact
/opt/K/SCO/MMDF/2.43.3b/usr/mmdf/bin/deliver `perl -e 'print "A" x 5000'`
Memory fault - core dumped
This problem makes it possible to overwrite memory space of the running
process,
and potentially execute code with the inherited privileges of root.
.: Workaround
chmod -s /opt/K/SCO/MMDF/2.43.3b/usr/mmdf/bin/deliver
.: Systems Affected
SCO OpenServer 5.0.6 upgrade from 5.0.x and 5.0.6 fresh install.
.: Proof of Concept
To be released at a later time.
.: Vendor Status
Vendor was notified on 03/22/01. Vendor lab tests confirmed the issue. Patch
status is unknown.
.: Credit
Kevin Finisterre
dotslash@snosoft.com, krfinisterre@checkfree.com
======================================================================
©Copyright 2001 Secure Network Operations , Inc. All Rights Reserved.
Strategic Reconnisiance Team | recon@snosoft.com
http://recon.snosoft.com | http://www.snosoft.com
----------------------------------------------------------------------
|
|
