SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   OS (UNIX)  >   Curses Library (curses, ncurses) Vendors:   Santa Cruz Operations
SCO Curses Library Lets Local Users Escalate Privileges, Possibly Gaining Root Privileges on the Host
SecurityTracker Alert ID:  1001825
SecurityTracker URL:  http://securitytracker.com/id/1001825
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 23 2001
Impact:   Execution of arbitrary code via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   Caldera announced a vulnerability in the SCO curses library that allows a local user to escalate their privileges and possibly obtain root level privileges on the host.

SCO (Caldera) reports that a buffer overrun vulnerability has been found in the curses library. This allows a local user to execute a set user id (suid) or set group id (sgid) application/command that uses the curses library to trigger the vulnerability and gain additional privileges.

Two example applications are /usr/lib/sysadm/atcronsh, shipped with OpenServer, and /usr/sbin/rtpm, shipped with UnixWare 7. Note that the rtpm vulnerability was previous reported.

Impact:   A local user can obtain escalated privileges, including root level privileges, on the host.
Solution:   SCO (Caldera) has released patches. SCO notes that the curses library is shipped only as a static library, so an application would need to be re-linked with this new library to take advantage of the fix. See the Source Message for the SCO/Caldera advisory.
Vendor URL:  www.sco.com/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  UNIX (Open UNIX-SCO)

Message History:   None.


 Source Message Contents

Subject:  Caldera Systems security advisory: libcurses, atcronsh, rtpm


--8P1HSweYDcXXzwPJ
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: 8bit            


___________________________________________________________________________

		   Caldera Systems, Inc.  Security Advisory

Subject:		curses library, rtpm, atcronsh
Advisory number: 	CSSA-2001-SCO.1
Issue date: 		2001 June, 22
Cross reference:
_____________________________________________________________________________



1. Problem Description

	A buffer overrun vulnerability has been	found in the curses
	library. A malicious user could attack a set{uid,gid} command
	that uses this library to gain privileges.

	One such command that is shipped with OpenServer is
	/usr/lib/sysadm/atcronsh.

	One such command that is shipped with UnixWare 7 is
	/usr/sbin/rtpm.

	In addition, the curses library is shipped only as a static
	library, so an application would need to be re-linked with
	this new library to take advantage of the fix.


2. Vulnerable Versions

	Operating System	Version		Affected Files
	----------------------------------------------------------------
	UnixWare 7		All		/usr/sbin/rtpm
						/usr/ccs/lib/libcurses.a

	OpenServer		<= 5.0.6a	/usr/lib/sysadm/atcronsh
						/usr/lib/libcurses.a

3. Workaround

	For rtpm:
		# chmod g-s /usr/sbin/rtpm

	For atcronsh:
		# chmod g-s /usr/lib/sysadm/atcronsh
		
	Otherwise, none.


4. UnixWare 7

  4.1 Location of Fixed Binaries

	ftp://ftp.sco.com/pub/security/unixware/sr848806/


  4.2 Verification

	md5 checksums:
	
	ae2bc5b813dad2c729fb3593b59fd62a	libcurses.a.Z
	990d9216ed368f2939596104c60bd27b	rtpm.Z


	md5 is available for download from

		ftp://ftp.sco.com/pub/security/tools/


  4.3 Installing Fixed Binaries

	Backup the existing /usr/ccs/lib/libcurses.a, and replace it
	with the provided libcurses.a binary. Ensure that the new
	libcurses.a has bin/bin/0444 permissions.

	Backup the existing /usr/sbin/rtpm and replace it with the
	provided rtpm binary. Ensure that the new rtpm has
	bin/sys/02555 permissions.


5. OpenServer

  4.1 Location of Fixed Binaries

	ftp://ftp.sco.com/pub/security/openserver/sr848771/

	libcurses.a is not yet available; expect it within a week of
	this advisory.


  4.2 Verification

	md5 checksums:
	
	bf1ce0570284a1e12256ebac0174f6d4	atcronsh.Z

	md5 is available for download from

		ftp://ftp.sco.com/pub/security/tools/


  4.3 Installing Fixed Binaries

	Backup the existing /usr/lib/sysadm/atcronsh and replace it
	with the provided atcronsh binary. Ensure that the new
	atcronsh has bin/cron/02111 permissions.

	Backup the existing /usr/lib/libcurses.a, and replace it
	with the provided libcurses.a binary. Ensure that the new
	libcurses.a has bin/bin/0644 permissions.


6. References

	Caldera security resources are located at the following url:

	http://www.calderasystems.com/support/security/index.html


7. Disclaimer

	Caldera Systems, Inc. is not responsible for the misuse of any
	of the information we provide on this website and/or through
	our security advisories. Our advisories are a service to our
	customers intended to promote secure installation and use of
	Caldera OpenLinux.


8. Acknowledgements

	Caldera wishes to thank Aycan Irican <aycan@mars.prosoft.com.tr>
	for spotting the UnixWare problem.

	Caldera wishes to thank KF <dotslash@snosoft.com> for spotting
	the OpenServer problem.
	

_____________________________________________________________________________



--8P1HSweYDcXXzwPJ
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (SCO_SV)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAjszg0EACgkQom1bqoqwkdT+LQCfRJxpJ2La6Gwa/rQALigBCFFi
vkkAmgMENBIoxo/ri6qf4YkvNqvpYv9m
=MwMA
-----END PGP SIGNATURE-----

--8P1HSweYDcXXzwPJ--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC