SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   OS (UNIX)  >   su Vendors:   Caldera/SCO
SCO Unix su Utility Environment Variable Buffer Overflow Lets Local Users Obtain Root Level Privileges
SecurityTracker Alert ID:  1002076
SecurityTracker URL:  http://securitytracker.com/id/1002076
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 25 2001
Impact:   Execution of arbitrary code via local system, Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): UnixWare 7, all versions (/usr/bin/su, /sbin/su); OpenUnix 8, version 8.0.0 (/usr/bin/su, /sbin/su)
Description:   Caldera reported a vulnerability in the SCO Unix su substitute user utility that allows local users to gain elevated privileges, including root level privileges.

It is reported that if a local user sets the TERM environment variable to a particular long length and then executes the su utility, the user can trigger a buffer overflow that will cause arbitrary code to be executed with root level privileges.

Impact:   A local user can obtain root level privileges.
Solution:   The vendor has released a fix. See the Source Message for the vendor advisory.
Vendor URL:  www.calderasystems.com/support/security/index.html (Links to External Site)
Cause:   Boundary error
Underlying OS:  UNIX (Open UNIX-SCO)

Message History:   None.


 Source Message Contents

Subject:  Security Update: [CSSA-2001-SCO.7] OpenUnix, UnixWare: su buffer overflow


--A6N2fC+uXW/VQSAv
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: 8bit            

To: bugtraq@securityfocus.com security-announce@lists.securityportal.com announce@lists.caldera.com

___________________________________________________________________________

	    Caldera International, Inc. Security Advisory

Subject:		OpenUnix, UnixWare: su buffer overflow
Advisory number: 	CSSA-2001-SCO.7
Issue date: 		2001 July 24
Cross reference:
___________________________________________________________________________



1. Problem Description
	
	Long values of the TERM variable can cause the su command to
	have a memory fault. This might be exploited by an
	unauthorized user to gain privileges.


2. Vulnerable Versions

	Operating System	Version		Affected Files
	------------------------------------------------------------------
	UnixWare 7		All		/usr/bin/su
						/sbin/su
	OpenUnix 8		8.0.0		/usr/bin/su
						/sbin/su


3. Workaround

	None.


4. UnixWare 7

  4.1 Location of Fixed Binaries

	ftp://ftp.sco.com/pub/security/unixware/sr849768/


  4.2 Verification

	md5 checksums:
	
	1381b35641cce39556d9d8365a170821	erg711787a.Z


	md5 is available for download from

		ftp://ftp.sco.com/pub/security/tools/


  4.3 Installing Fixed Binaries

	Upgrade the affected binaries with the following commands:

	# uncompress /tmp/erg711787a.Z
	# pkgadd -d /tmp/erg711787a


5. OpenUnix 8

  4.1 Location of Fixed Binaries

	ftp://ftp.sco.com/pub/security/openunix/sr849768/


  4.2 Verification

	md5 checksums:
	
	1381b35641cce39556d9d8365a170821	erg711787a.Z


	md5 is available for download from

		ftp://ftp.sco.com/pub/security/tools/


  4.3 Installing Fixed Binaries

	Upgrade the affected binaries with the following commands:


	# uncompress /tmp/erg711787a.Z
	# pkgadd -d /tmp/erg711787a


6. References

	http://www.calderasystems.com/support/security/index.html


7. Disclaimer

	Caldera International, Inc. is not responsible for the misuse
	of any of the information we provide on our website and/or
	through our security advisories. Our advisories are a service
	to our customers intended to promote secure installation and
	use of Caldera International products.


8.Acknowledgements

	Caldera International wishes to thank KF<dotslash@snosoft.com>
	for reporting the problem.
	 
___________________________________________________________________________

--A6N2fC+uXW/VQSAv
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (SCO_SV)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAjtd8rAACgkQaqoBO7ipriGv4ACfVYcqEDykZJDxzXf4cPNgcFWL
/ncAoKu7B3YFOBoj8tQe+Yp5h5c8XxHF
=RL+k
-----END PGP SIGNATURE-----

--A6N2fC+uXW/VQSAv--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC