SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Dt Utilities Vendors:   Caldera/SCO
Caldera Open Unix Common Desktop Environment (CDE) Dt Utilities Have Buffer Overflows That Let Local Users Obtain Root Privileges on the Host
SecurityTracker Alert ID:  1002557
SecurityTracker URL:  http://securitytracker.com/id/1002557
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Oct 16 2001
Impact:   Execution of arbitrary code via local system, Root access via local system, User access via local system


Description:   A vulnerability has been reported in various Common Desktop Environment (CDE) dt binaries for Caldera Open Unix. A local user can obtain root level privileges on the system.

It is reported that all set user id (suid) and set group id (sgid) utitilties in the /usr/dt/bin directory (except for dtmail) have buffer overflows that can be triggered to cause arbitrary code to be executed with elevated or root level privileges.

A local user can trigger the flaw by setting a long $HOME or $PATH environment variable (or a combination of the two).

It is reported that dtterm is one of the affected utilities.

Impact:   A local user can execute arbitrary code with root level privileges and obtain root level access on the host.
Solution:   Some but not all of the vulnerabilities have reportedly been corrected. See the vendor's advisories at:

http://stage.caldera.com/support/security

Vendor URL:  stage.caldera.com/support/security (Links to External Site)
Cause:   Boundary error
Underlying OS:  UNIX (Open UNIX-SCO)

Message History:   None.


 Source Message Contents

Subject:  [Fwd: Failed mail]


Well I tried to mail this to the SCO / Caldera security aliases but they 
keep bouncing back so I will send it here instead... this is regarding
the 
recent DT overflows on OpenUnix8.
-KF

-------- Original Message --------
Subject: Failed mail
Date: Mon, 1 Oct 2001 17:08:31 PDT
From: MMDF Mail System <mmdf@sco.COM>
To: dotslash@snosoft.com

Trouble sending mail on sco.sco.COM:

============ Transcript follows ============

(USER) Unknown user name in "tigger@sco.com"
(USER) Unknown user name in "sco-security@sco.com"
Submit error: No valid addresses

============== Message follows =============
Received: from clmboh1-smtp3.columbus.rr.com(65.24.0.112)
 via SMTP by sco.ca.caldera.COM, id smtpdAAAa006kA; Mon Oct  1 17:08:28
2001
Received: from osxinsightrrcom (dhcp065-024-239-073.insight.rr.com
[65.24.239.73])
	by clmboh1-smtp3.columbus.rr.com (8.11.2/8.11.2) with ESMTP id
f920XDR13482;
	Mon, 1 Oct 2001 20:33:13 -0400 (EDT)
Message-Id: <200110020033.f920XDR13482@clmboh1-smtp3.columbus.rr.com>
Date: Sun, 30 Sep 2001 20:36:19 -0700
From: KF <dotslash@snosoft.com>
Content-Type: text/plain;
	format=flowed;
	charset=us-ascii
X-Mailer: Apple Mail (2.388)
Cc: sco-security@sco.com
To: tigger@sco.com
Mime-Version: 1.0 (Apple Message framework v388)
Content-Transfer-Encoding: 7bit
Subject: SECURITY ISSUE in DT YOU MISSED A COUPLE BINARIES.



Begin forwarded message:

> From: MAILER-DAEMON@caldera.co
>
> <sco-security@caldera.com>:
> Sorry, no mailbox here by that name. (#5.1.1)

> Subject: Re: Security Update: [CSSA-2001-SCO.22] Open Unix, UnixWare 7: 
> dtprintinfo environment buffer overflow
>
>
>
> Hey guys I installed OpenUnix again a few days ago and had a few minutes
> on it before
> I rm -rf'd it to make a dual boot box... I was able to make ALL suid /
> sgid binaries in the dt bin segfault (except for dtmail) with a long
> $HOME or $PATH or combination of the two...
> off the top of my head dtterm was one of them for sure.
>
> Also the /usr/sbin/recon binary segfaulted very similar to the
> OpenServer version.
> Just a heads up sorry I didn't think about it sooner.
> -KF
>
>
> On Monday, October 1, 2001, at 11:08 AM, sco-security@caldera.com wrote:
>
>> To: bugtraq@securityfocus.com security-
>> announce@lists.securityportal.com announce@lists.caldera.com
>> scoannmod@xenitec.on.ca
>>
>> ___________________________________________________________________________
>>
>> 	    Caldera International, Inc. Security Advisory
>>
>> Subject:		Open Unix, UnixWare 7: dtprintinfo environment buffer
>> overflow
>> Advisory number: 	CSSA-2001-SCO.22
>> Issue date: 		2001 October 1
>> Cross reference:
>> ___________________________________________________________________________
>>
>>
>>
>> 1. Problem Description
>> 	
>> 	Very long environment variables will cause the dtprintinfo
>> 	command to overflow a buffer.  This could be used by an
>> 	unauthorized user to gain privilege.
>>
>>
>> 2. Vulnerable Versions
>>
>> 	Operating System	Version		Affected Files
>> 	------------------------------------------------------------------
>> 	UnixWare 7		All		/usr/dt/bin/dtprintinfo
>> 	Open Unix		8.0.0		/usr/dt/bin/dtprintinfo
>>
>>
>> 3. Workaround
>>
>> 	None.
>>
>>
>> 4. UnixWare 7
>>
>>   4.1 Location of Fixed Binaries
>>
>> 	ftp://stage.caldera.com/pub/security/openunix/CSSA-2001-SCO.22/
>>
>>
>>   4.2 Verification
>>
>> 	md5 checksums:
>> 	
>> 	e726067eba0107ac5efd8c1fdb141b0d	dtprintinfo.Z
>>
>>
>> 	md5 is available for download from
>>
>> 		ftp://stage.caldera.com/pub/security/tools/
>>
>>
>>   4.3 Installing Fixed Binaries
>>
>> 	Upgrade the affected binaries with the following commands:
>>
>> 	# mv /usr/dt/bin/dtprintinfo /usr/dt/bin/dtprintinfo-
>> 	# uncompress /tmp/dtprintinfo.Z
>> 	# cp dtprintinfo /usr/dt/bin
>> 	# cd /usr/dt/bin
>> 	# chown root dtprintinfo
>> 	# chgrp bin dtprintinfo
>> 	# chmod 4555 dtprintinfo
>>
>>
>> 5. References
>>
>> 	This and other advisories are located at
>> 		http://stage.caldera.com/support/security
>>
>> 	This advisory addresses Caldera Security internal incident
>> 	sr850737.
>>
>> 6. Disclaimer
>>
>> 	Caldera International, Inc. is not responsible for the misuse
>> 	of any of the information we provide on our website and/or
>> 	through our security advisories. Our advisories are a service
>> 	to our customers intended to promote secure installation and
>> 	use of Caldera International products.
>>
>>
>> 7. Acknowledgements
>>
>> 	Caldera International wishes to thank KF <dotslash@snosoft.com>
>>         for discovering and reporting this problem.
>>
>> 	
>> ___________________________________________________________________________
> <Attachment missing>
> --Apple-Mail-1284103789-3
> Content-Type: multipart/mixed;
> 	boundary=Apple-Mail-1304894114-4
>
>
> --Apple-Mail-1304894114-4
> Content-Transfer-Encoding: 7bit
> Content-Type: text/plain;
> 	charset=us-ascii;
> 	format=flowed
>
> Hey guys I installed OpenUnix again a few days ago and had a few minutes
> on it before
> I rm -rf'd it to make a dual boot box... I was able to make ALL suid /
> sgid binaries in the dt bin segfault (except for dtmail) with a long
> $HOME or $PATH or combination of the two...
> off the top of my head dtterm was one of them for sure.
>
> Also the /usr/sbin/recon binary segfaulted very similar to the
> OpenServer version.
> Just a heads up sorry I didn't think about it sooner.
> -KF
>
>
> On Monday, October 1, 2001, at 11:08 AM, sco-security@caldera.com wrote:
>
>> To: bugtraq@securityfocus.com security-
>> announce@lists.securityportal.com announce@lists.caldera.com
>> scoannmod@xenitec.on.ca
>>
>> ___________________________________________________________________________
>>
>> 	    Caldera International, Inc. Security Advisory
>>
>> Subject:		Open Unix, UnixWare 7: dtprintinfo environment buffer
>> overflow
>> Advisory number: 	CSSA-2001-SCO.22
>> Issue date: 		2001 October 1
>> Cross reference:
>> ___________________________________________________________________________
>>
>>
>>
>> 1. Problem Description
>> 	
>> 	Very long environment variables will cause the dtprintinfo
>> 	command to overflow a buffer.  This could be used by an
>> 	unauthorized user to gain privilege.
>>
>>
>> 2. Vulnerable Versions
>>
>> 	Operating System	Version		Affected Files
>> 	------------------------------------------------------------------
>> 	UnixWare 7		All		/usr/dt/bin/dtprintinfo
>> 	Open Unix		8.0.0		/usr/dt/bin/dtprintinfo
>>
>>
>> 3. Workaround
>>
>> 	None.
>>
>>
>> 4. UnixWare 7
>>
>>   4.1 Location of Fixed Binaries
>>
>> 	ftp://stage.caldera.com/pub/security/openunix/CSSA-2001-SCO.22/
>>
>>
>>   4.2 Verification
>>
>> 	md5 checksums:
>> 	
>> 	e726067eba0107ac5efd8c1fdb141b0d	dtprintinfo.Z
>>
>>
>> 	md5 is available for download from
>>
>> 		ftp://stage.caldera.com/pub/security/tools/
>>
>>
>>   4.3 Installing Fixed Binaries
>>
>> 	Upgrade the affected binaries with the following commands:
>>
>> 	# mv /usr/dt/bin/dtprintinfo /usr/dt/bin/dtprintinfo-
>> 	# uncompress /tmp/dtprintinfo.Z
>> 	# cp dtprintinfo /usr/dt/bin
>> 	# cd /usr/dt/bin
>> 	# chown root dtprintinfo
>> 	# chgrp bin dtprintinfo
>> 	# chmod 4555 dtprintinfo
>>
>>
>> 5. References
>>
>> 	This and other advisories are located at
>> 		http://stage.caldera.com/support/security
>>
>> 	This advisory addresses Caldera Security internal incident
>> 	sr850737.
>>
>> 6. Disclaimer
>>
>> 	Caldera International, Inc. is not responsible for the misuse
>> 	of any of the information we provide on our website and/or
>> 	through our security advisories. Our advisories are a service
>> 	to our customers intended to promote secure installation and
>> 	use of Caldera International products.
>>
>>
>> 7. Acknowledgements
>>
>> 	Caldera International wishes to thank KF <dotslash@snosoft.com>
>>         for discovering and reporting this problem.
>>
>> 	
>> ___________________________________________________________________________
>
> --Apple-Mail-1304894114-4
> Content-Disposition: attachment;
> 	filename="mime-attachment"
> Content-Type: application/octet-stream;
> 	name="mime-attachment";
> 	x-unix-mode=0666
> Content-Transfer-Encoding: 7bit
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (SCO_SV)
> Comment: For info see http://www.gnupg.org
>
> iEYEARECAAYFAju4sQAACgkQaqoBO7ipriHZuwCfc3mewbRNYJKCWBqIRMOVtvKy
> ABgAniOhYqovOG8XxHTkqSmtM6BujsSS
> =iFZ0
> -----END PGP SIGNATURE-----
>
> --Apple-Mail-1304894114-4--
>
> --Apple-Mail-1284103789-3--
>

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC