SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   OS (UNIX)  >   OpenServer Kernel Vendors:   Caldera/SCO
(Caldera Issues Revised Fix) Caldera OpenServer (SCO) Kernel Flaw May Let Local Users Execute Arbitrary Code
SecurityTracker Alert ID:  1003336
SecurityTracker URL:  http://securitytracker.com/id/1003336
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 24 2002
Impact:   Execution of arbitrary code via local system, Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): OpenServer 5.0.6 and previous releases
Description:   Caldera reported a vulnerability in the OpenServer kernel. A local user could execute arbitrary code with root level privileges.

The kernel flaw lets local unprivileged user processes reprogram segment descriptors and certain other CPU registers.
The following files are affected:

/etc/conf/pack.d/kernel/os.a(machdep.o)
/etc/conf/pack.d/kernel/os.a(sysi86.o)

Impact:   A local user could execute arbitrary code with root level privileges.
Solution:   The vendor has released a revised fix. The previous release of this fix was flawed, and required a recut. If CSSA-2001-SCO-35 or CSSA-2001-SCO-35.1 has already been applied, Caldera stongly recommends that you install the updated fix. NB: Before installing CSSA-2001-SCO.35.2, any previously installed version of CSSA-2001-SCO.35 must be removed.

This patch can be applied on SCO OpenServer 5.0.4, 5.0.4c, 5.0.5, 5.0.5a, 5.0.6, or 5.0.6a. This fix will be included in releases subsequent to 5.0.6a.

Fixed binaries are available at:

ftp://stage.caldera.com/pub/security/openserver/CSSA-2001-SCO.35.2/

The verification checksum is:

MD5 (CSSA-2001-SCO.35.2.tar) = 08a06921bfc5050020a459595f05a146


*** Before installing CSSA-2001-SCO.35.2, any previously ***
*** installed version of CSSA-2001-SCO.35 must be removed. ***

Upgrade the affected binaries with the following commands:

Download the CSSA-2001-SCO.35.2.tar file to /tmp.

# cd /tmp
# tar xvf CSSA-2001-SCO.35.2.tar
# custom

Instruct custom to install from images, and supply /tmp as the directory of the VOL image.

Vendor URL:  www.caldera.com/ (Links to External Site)
Cause:   Access control error
Underlying OS:  UNIX (Open UNIX-SCO)

Message History:   This archive entry is a follow-up to the message listed below.
Nov 30 2001 Caldera OpenServer (SCO) Kernel Flaw May Let Local Users Execute Arbitrary Code



 Source Message Contents

Subject:  Security Update: [CSSA-2001-SCO.35.2] REVISED: OpenServer: setcontext and sysi86 vulnerabilities


--ikeVEW9yuYc//A+q
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: 8bit            

To: bugtraq@securityfocus.com announce@lists.caldera.com scoannmod@xenitec.on.ca

___________________________________________________________________________

	    Caldera International, Inc. Security Advisory

Subject:		REVISED: OpenServer: setcontext and sysi86 vulnerabilities
Advisory number: 	CSSA-2001-SCO.35.2
Issue date: 		2002 January 21
Cross reference:	CSSA-2001-SCO-35 CSSA-2001-SCO.35.1
___________________________________________________________________________


1. Problem Description
	
	[ The previous release of this fix was flawed, and required a
	recut. If CSSA-2001-SCO-35 or CSSA-2001-SCO-35.1 has already
	been applied, Caldera stongly recommends that you install the
	updated fix. NB: Before installing CSSA-2001-SCO.35.2, any
	previously installed version of CSSA-2001-SCO.35 must be
	removed. ]

	This patch closes a family of security holes present in SCO
	OpenServer 5.0.6 and previous releases, which stem from the
	ability of regular user processes to reprogram segment
	descriptors and certain other CPU registers.

	This patch can be applied on SCO OpenServer 5.0.4, 5.0.4c,
	5.0.5, 5.0.5a, 5.0.6, or 5.0.6a.  This fix will be included in
	releases subsequent to 5.0.6a.

	Closing this family of security holes does, however, result in
	a functionality change which may prevent certain applications
	from running -- they will exit with an error, or dump core,
	instead of running properly.  For example, the i286emul and
	x286emul emulators will not work, so any '286 executables
	which require those emulators will not work.  It is our
	intention to enhance this patch in the future, such that it
	enables full functionality of such applications while still
	closing the security holes.

	If this patch breaks any crucial applications, the system
	administrator may choose to disable the patch, by editing the
	file /etc/conf/pack.d/kernel/space.c and setting the value of
	the allow_dscr_remap parameter to 1.  This will return the
	kernel to the old (non-secure) behavior.


2. Vulnerable Versions

	Operating System	Version	 Affected Files
	------------------------------------------------------------------
	OpenServer		All	/etc/conf/pack.d/kernel/os.a(machdep.o)
					/etc/conf/pack.d/kernel/os.a(sysi86.o)


3. Workaround

	None.


4. OpenServer

  4.1 Location of Fixed Binaries

	ftp://stage.caldera.com/pub/security/openserver/CSSA-2001-SCO.35.2/


  4.2 Verification

	md5 checksums:
	
	MD5 (CSSA-2001-SCO.35.2.tar) = 08a06921bfc5050020a459595f05a146


	md5 is available for download from

		ftp://stage.caldera.com/pub/security/tools/


  4.3 Installing Fixed Binaries

	***  Before installing CSSA-2001-SCO.35.2, any previously    ***
	***  installed version of CSSA-2001-SCO.35 must be removed.  ***

	Upgrade the affected binaries with the following commands:

	Download the CSSA-2001-SCO.35.2.tar file to /tmp.
	
	# cd /tmp
	# tar xvf CSSA-2001-SCO.35.2.tar
	# custom

	Instruct custom to install from images, and supply /tmp as the
	directory of the VOL image.


5. References

	ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2001-002.txt.asc 

	This and other advisories are located at
		http://stage.caldera.com/support/security

	This advisory addresses Caldera Security internal incidents
	sr855993, sr855994, SCO-559-1328, SCO-559-1329, erg711906 and
	erg711905.


6. Disclaimer

	Caldera International, Inc. is not responsible for the misuse
	of any of the information we provide on our website and/or
	through our security advisories. Our advisories are a service
	to our customers intended to promote secure installation and
	use of Caldera International products.


7. Acknowledgements

	Caldera wishes to thank the Last Stage of Delirium Research
	Group (contact@lsd-pl.net) for their discovering of, and
	research into, these issues.

	 
___________________________________________________________________________

--ikeVEW9yuYc//A+q
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (SCO_SV)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAjxOFTsACgkQaqoBO7ipriHU1gCdH0SVyRbymvqisIXTBWN2F5OZ
+n8AoKQ6yKHUnG4nbdnQyFokW6szZjHl
=AbFb
-----END PGP SIGNATURE-----

--ikeVEW9yuYc//A+q--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC