SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   OS (UNIX)  >   OpenServer Kernel Vendors:   Caldera/SCO
Caldera OpenServer (SCO) Kernel Flaw May Let Local Users Execute Arbitrary Code
SecurityTracker Alert ID:  1002861
SecurityTracker URL:  http://securitytracker.com/id/1002861
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Nov 30 2001
Impact:   Execution of arbitrary code via local system, Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): OpenServer 5.0.6 and previous releases
Description:   Caldera reported a vulnerability in the OpenServer kernel. A local user could execute arbitrary code with root level privileges.

The kernel flaw lets local unprivileged user processes reprogram segment descriptors and certain other CPU registers.
The following files are affected:

/etc/conf/pack.d/kernel/os.a(machdep.o)
/etc/conf/pack.d/kernel/os.a(sysi86.o)

Impact:   A local user could execute arbitrary code with root level privileges.
Solution:   The vendor has issued a fix:

ftp://stage.caldera.com/pub/security/openserver/CSSA-2001-SCO.35/

The md5 checksum is:

89a6894b514d0175676d12745158aaea VOL.000.000

Caldera has provided the following instructions and warnings:

Upgrade the affected binaries with the following commands:

Download the VOL.000.000 file to /tmp

# custom

Instruct custom to install from images, and supply /tmp as the
directory of the VOL image.

Closing this family of security holes does, however, result in
a functionality change which may prevent certain applications
from running -- they will exit with an error, or dump core,
instead of running properly. For example, the i286emul and
x286emul emulators will not work, so any '286 executables
which require those emulators will not work. It is our
intention to enhance this patch in the future, such that it
enables full functionality of such applications while still
closing the security holes.

If this patch breaks any crucial applications, the system
administrator may choose to disable the patch, by editing the
file /etc/conf/pack.d/kernel/space.c and setting the value of
the allow_dscr_remap parameter to 1. This will return the
kernel to the old (not-secure) behavior.

Vendor URL:  www.caldera.com/ (Links to External Site)
Cause:   Access control error
Underlying OS:  UNIX (Open UNIX-SCO)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Caldera Issues Revised Fix) Caldera OpenServer (SCO) Kernel Flaw May Let Local Users Execute Arbitrary Code
The vendor has since reported that the fix in this advisory is also flawed. Do not use this fix. A separate alert has been issued with the corrected fix.
(Caldera Issues Revised Fix) Caldera OpenServer (SCO) Kernel Flaw May Let Local Users Execute Arbitrary Code
The vendor has released a revised fix.



 Source Message Contents

Subject:  OpenServer: setcontext and sysi86 vulnerabilities


___________________________________________________________________________

            Caldera International, Inc. Security Advisory

Subject:                OpenServer: setcontext and sysi86
vulnerabilities
Advisory number:        CSSA-2001-SCO.35
Issue date:             2001 November 29
Cross reference:
___________________________________________________________________________


1. Problem Description
        
        This patch closes a family of security holes present in SCO
        OpenServer 5.0.6 and previous releases, which stem from the
        ability of regular user processes to reprogram segment
        descriptors and certain other CPU registers.

        Closing this family of security holes does, however, result in
        a functionality change which may prevent certain applications
        from running -- they will exit with an error, or dump core,
        instead of running properly.  For example, the i286emul and
        x286emul emulators will not work, so any '286 executables
        which require those emulators will not work.  It is our
        intention to enhance this patch in the future, such that it
        enables full functionality of such applications while still
        closing the security holes.

        If this patch breaks any crucial applications, the system
        administrator may choose to disable the patch, by editing the
        file /etc/conf/pack.d/kernel/space.c and setting the value of
        the allow_dscr_remap parameter to 1.  This will return the
        kernel to the old (not-secure) behavior.


2. Vulnerable Versions

        Operating System        Version  Affected Files
       
------------------------------------------------------------------
        OpenServer              All    
/etc/conf/pack.d/kernel/os.a(machdep.o)
                                       
/etc/conf/pack.d/kernel/os.a(sysi86.o)


3. Workaround

        None.


4. OpenServer

  4.1 Location of Fixed Binaries

       
ftp://stage.caldera.com/pub/security/openserver/CSSA-2001-SCO.35/


  4.2 Verification

        md5 checksums:
        
        89a6894b514d0175676d12745158aaea        VOL.000.000


        md5 is available for download from

                ftp://stage.caldera.com/pub/security/tools/


  4.3 Installing Fixed Binaries

        Upgrade the affected binaries with the following commands:

        Download the VOL.000.000 file to /tmp
        
        # custom

        Instruct custom to install from images, and supply /tmp as the
        directory of the VOL image.


5. References

       
ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2001-002.txt.asc 

        This and other advisories are located at
                http://stage.caldera.com/support/security

        This advisory addresses Caldera Security internal incidents
        sr855993, sr855994, SCO-559-1328, SCO-559-1329, erg711906 and
        erg711905.


6. Disclaimer

        Caldera International, Inc. is not responsible for the misuse
        of any of the information we provide on our website and/or
        through our security advisories. Our advisories are a service
        to our customers intended to promote secure installation and
        use of Caldera International products.


7. Acknowledgements

        Caldera wishes to thank the Last Stage of Delirium Research
        Group (contact@lsd-pl.net) for their discovering of, and
        research into, these issues.

         
___________________________________________________________________________


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC