SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Lpstat Vendors:   Caldera/SCO
Caldera 'lpstat' for OpenServer Still Has Buffer Overflow That Allows Local Users to Obtain Elevated Privileges
SecurityTracker Alert ID:  1002924
SecurityTracker URL:  http://securitytracker.com/id/1002924
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Dec 8 2001
Impact:   Execution of arbitrary code via local system, User access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 5.0.6a and prior
Description:   Caldera reported a buffer overflow vulnerability in lpstat for OpenServer. A remote user could obtain elevated privileges on the system.

It is reported that even with patch sse072 (SCO System Security Enhancement SSE072B, dated 11-Apr-2001), a buffer overflow exists in lpstat. A remote user could cause arbitrary code to be executed with 'bin' user privileges.

This affects the /usr/bin/lpstat file.

Impact:   A local user could execute arbitrary code with 'bin' user privileges.
Solution:   Caldera has issued a fix and has described a workaround for lpstat for OpenServer.

As a workaround, if the lpstat command is not required, remove the setgid bit from the binary:

chmod g-s /usr/bin/lpstat

The fix is available at:

ftp://stage.caldera.com/pub/security/openserver/CSSA-2001-SCO.38/

The verification checksum is:

2deab6d340bb3790104fa0cb8ae36e6c erg711871.pkg.Z

Upgrade the affected binaries with the following commands:

# uncompress /tmp/erg711871.pkg.Z
# pkgadd -d /tmp/erg711871.pkg

Vendor URL:  stage.caldera.com/support/security (Links to External Site)
Cause:   Boundary error
Underlying OS:  UNIX (Open UNIX-SCO)

Message History:   None.


 Source Message Contents

Subject:  Security Update: [CSSA-2001-SCO.38] OpenServer: lpstat buffer overflow


--VrqPEDrXMn8OVzN4
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: 8bit            

To: bugtraq@securityfocus.com announce@lists.caldera.com scoannmod@xenitec.on.ca


___________________________________________________________________________

	    Caldera International, Inc. Security Advisory

Subject:		OpenServer: lpstat buffer overflow
Advisory number: 	CSSA-2001-SCO.38
Issue date: 		2001 December 7
Cross reference:	sse072
___________________________________________________________________________


1. Problem Description
	
	Even with sse072, lpstat has a buffer overflow. This could be
	used by a malicious user to gain privileges.


2. Vulnerable Versions

	Operating System	Version		Affected Files
	------------------------------------------------------------------
	OpenServer		<= 5.0.6a	/usr/bin/lpstat


3. Workaround

	If the lpstat command is not required, remove the setgid bit
	from the binary:

		chmod g-s /usr/bin/lpstat


4. OpenServer

  4.1 Location of Fixed Binaries

	ftp://stage.caldera.com/pub/security/openserver/CSSA-2001-SCO.38/


  4.2 Verification

	md5 checksums:
	
	2deab6d340bb3790104fa0cb8ae36e6c	erg711871.pkg.Z


	md5 is available for download from

		ftp://stage.caldera.com/pub/security/tools/


  4.3 Installing Fixed Binaries

	Upgrade the affected binaries with the following commands:

	# uncompress /tmp/erg711871.pkg.Z
	# pkgadd -d /tmp/erg711871.pkg


5. References

	This and other advisories are located at
		http://stage.caldera.com/support/security

	This advisory addresses Caldera Security internal incidents
	sr854294, SCO-559-1315, erg711871.


6. Disclaimer

	Caldera International, Inc. is not responsible for the misuse
	of any of the information we provide on our website and/or
	through our security advisories. Our advisories are a service
	to our customers intended to promote secure installation and
	use of Caldera International products.

___________________________________________________________________________

--VrqPEDrXMn8OVzN4
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (SCO_SV)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAjwRCuUACgkQaqoBO7ipriGyQQCeN8d03pNqPP9sh8N3wYUVX7Av
5QgAmwe0z9pgKZSsLTeAkd5KFjw7gxVi
=0uQK
-----END PGP SIGNATURE-----

--VrqPEDrXMn8OVzN4--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC