(Vulnerability in MMDF/deliver) Re: SCO UNIX Contains Multiple Vulnerabilities That Allow Users to Crash Applications and May Allow Users to Execute Arbitrary Code on the Server
SecurityTracker Alert ID: 1001184|
SecurityTracker URL: http://securitytracker.com/id/1001184
(Links to External Site)
Date: Mar 28 2001
Denial of service via local system, User access via local system|
Version(s): SCO 5.0.6|
Secure Network Operations Strategic Reconnaissance Team issued several advisories for vulnerabilities in SCO UNIX utilities and applications, including lpusers, lpshut, lpadmin, lpforms, recon, and sendmail.|
It is reported that SCO OpenServer 5.0.6 ships with a known to be vulnerable MMDF package. According to the report, the vendor states that "Recently Network Associates, Inc. issued a SECURITY ADVISORY against all versions of MMDF prior to the beta release 2.44a-B4." However, SCO reportedly still released OpenServer 5.0.6 with version 2.43.3b of MMDF.
There is a buffer overflow in /opt/K/SCO/MMDF/2.43.3b/usr/mmdf/bin/deliver that will be triggered if the command is supplied with more than 4085 characters.
A local user can cause the deliver application to crash and may be able to cause arbitrary code to be executed on the server with the inhereted root-level privileges.|
No solution was available at the time of this entry.|
Vendor URL: www.sco.com (Links to External Site)
UNIX (Open UNIX-SCO)|
This archive entry is a follow-up to the message listed below.|
Source Message Contents
Date: Tue, 27 Mar 2001 13:31:51 +0100|
Subject: SCO 5.0.6 MMDF issues (deliver)
Strategic Reconnisiance Team Security Advisory(SRT2001-03)
Topic: SCO 5.0.6 MMDF issues (deliver)
Release Date: 03/27/01
SCO OpenServer 5.0.6 ships with a previously known buggy MMDF package.
SCO Security Bulletin 2000.06 states "Recently Network Associates, Inc.
issued a SECURITY ADVISORY against all versions of MMDF prior to the
beta release 2.44a-B4" however SCO still released OpenServer 5.0.6 with
version 2.43.3b of MMDF. deliver has poor processing of command line arguments
resulting in a buffer overflow /opt/K/SCO/MMDF/2.43.3b/usr/mmdf/bin/deliver
will core dump if fed more than 4085 chars.
/opt/K/SCO/MMDF/2.43.3b/usr/mmdf/bin/deliver `perl -e 'print "A" x 5000'`
Memory fault - core dumped
This problem makes it possible to overwrite memory space of the running
and potentially execute code with the inherited privileges of root.
chmod -s /opt/K/SCO/MMDF/2.43.3b/usr/mmdf/bin/deliver
.: Systems Affected
SCO OpenServer 5.0.6 upgrade from 5.0.x and 5.0.6 fresh install.
.: Proof of Concept
To be released at a later time.
.: Vendor Status
Vendor was notified on 03/22/01. Vendor lab tests confirmed the issue. Patch
status is unknown.
ęCopyright 2001 Secure Network Operations , Inc. All Rights Reserved.
Strategic Reconnisiance Team | firstname.lastname@example.org
http://recon.snosoft.com | http://www.snosoft.com