SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Calendar)  >   Rpc.cmsd Vendors:   Caldera/SCO
Caldera/SCO Calendar Manager Service (rpc.cmsd) Buffer Overflow Lets Remote Users Execute Arbitrary Code on the System With Root Privileges
SecurityTracker Alert ID:  1003862
SecurityTracker URL:  http://securitytracker.com/id/1003862
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 21 2002
Impact:   Execution of arbitrary code via network, Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  

Description:   Caldera reported a vulnerability in the rpc.cmsd calendar manager service on UnixWare and Open UNIX. A remote user can obtain root privileges on the server.

It is reported that a remote user can execute arbitrary code on the system by calling program 100068 version 4 on UDP (implemented by /usr/dt/bin/rpc.cmsd) and then making a single RPC call to procedure 21 (rtable_create) to pass two strings, one of which triggers a buffer overflow:

$BASE/server/rtable4.c:_DtCm_rtable_create_4_svc(args)

where args is of type Table_Op_Args_4: 2 client supplied strings as args->target and args->new_target. "new_target" is never used and "target" creates the overflow later on.

_DtCmGetPrefix will reportedly overflow its local variable "buf" if the "sep" parameter that ends the prefix is not present.

It is also reported that _DtCm_rtable_create_4_svc does not make sure that the length of args->target is < BUFSIZ.

Caldera credits jGgM with reporting this vulnerability.

For demonstration exploit code, see the following URL:

http://www.securiteam.com/exploits/5QP0G1P61E.html

Impact:   A remote user can execute arbitrary code on the system with root level privileges.
Solution:   The vendor has released a fix for UnixWare 7, Open UNIX 8:

ftp://stage.caldera.com/pub/security/openunix/CSSA-2002-SCO.12/

The verification checksum is:

MD5 (erg711942b.Z) = 64d49dcd622cccbb2e7553e2706bc33d

Upgrade the affected binaries with the following commands:

Download erg711942b.Z to the /var/spool/pkg directory

# uncompress /var/spool/pkg/erg711942b.Z
# pkgadd -d /var/spool/pkg/erg711942b

Vendor URL:  stage.caldera.com/support/security/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  UNIX (Open UNIX-SCO)
Underlying OS Comments:  UnixWare 7.1.1, Open UNIX 8.0.0

Message History:   None.


 Source Message Contents

Subject:  Security Update: [CSSA-2002-SCO.12] Open UNIX, UnixWare 7: rpc.cmsd can be remotely exploited


--ReaqsoxgOBHFXBhH
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: 8bit            

To: bugtraq@securityfocus.com announce@lists.caldera.com scoannmod@xenitec.on.ca

___________________________________________________________________________

	    Caldera International, Inc. Security Advisory

Subject:		Open UNIX, UnixWare 7: rpc.cmsd can be remotely exploited
Advisory number: 	CSSA-2002-SCO.12
Issue date: 		2002 March 20
Cross reference:
___________________________________________________________________________


1. Problem Description
	
  1.1 Overview

	The rpc.cmsd command  would overflow  a  buffer under  certain
	circumstances, allowing the possibility of  a  remote  user to
	gain privilege.


  1.2 Detail
  
	The  exploit  code provided by  jGgM  requests  program 100068
	version 4  on UDP  (implemented  by /usr/dt/bin/rpc.cmsd)  and
	then  does a single RPC call  to procedure  21 (rtable_create)
	passing 2 strings, one of which creates a buffer overflow.

	$BASE/server/rtable4.c:_DtCm_rtable_create_4_svc(args)   where
	args is  of type Table_Op_Args_4: 2 client supplied strings as
	args->target and args->new_target. "new_target" is never  used
	and "target" creates the overflow later on.

	_DtCmGetPrefix will overflow its  local variable "buf"  if the
	"sep" parameter that ends the prefix is not present.

	A     secondary    problem    may    also    occur     because
	_DtCm_rtable_create_4_svc does  not make sure that  the length
	of args->target is < BUFSIZ.


2. Vulnerable Supported Versions

	Operating System	Version		Affected Files
	------------------------------------------------------------------
	UnixWare 7		7.1.1		/usr/dt/bin/rpc.cmsd
	Open UNIX		8.0.0		/usr/dt/bin/rpc.cmsd


3. Workaround

	None.


4. UnixWare 7, Open UNIX 8

  4.1 Location of Fixed Binaries

	ftp://stage.caldera.com/pub/security/openunix/CSSA-2002-SCO.12/


  4.2 Verification

	MD5 (erg711942b.Z) = 64d49dcd622cccbb2e7553e2706bc33d


	md5 is available for download from
		ftp://stage.caldera.com/pub/security/tools/


  4.3 Installing Fixed Binaries

	Upgrade the affected binaries with the following commands:

	Download erg711942b.Z to the /var/spool/pkg directory

	# uncompress /var/spool/pkg/erg711942b.Z
	# pkgadd -d /var/spool/pkg/erg711942b


5. References

	Specific references for this advisory:

		none


	Caldera UNIX security resources:

		http://stage.caldera.com/support/security/
		       
	Caldera OpenLinux security resources:

		http://www.caldera.com/support/security/index.html


	This  advisory addresses  Caldera  Security internal incidents
	sr858623, fz519829, erg711942.


6. Disclaimer

	Caldera  International, Inc. is not responsible for the misuse
	of  any of the information  we provide  on  our website and/or
	through our  security advisories. Our advisories are a service
	to  our customers intended to promote  secure installation and
	use of Caldera International products.


7. Acknowledgements

	This  vulnerability was  discovered  and  researched  by  jGgM
	<jggm@mail.com>.

	 
___________________________________________________________________________

--ReaqsoxgOBHFXBhH
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (SCO_SV)
Comment: For info see http://www.gnupg.org

iEUEARECAAYFAjyZF2EACgkQaqoBO7ipriFSbQCgrUwm8ym4nKLyHfc25YRZAjwz
9a8AmJQ7jnggajEQ+zGyftfYJcfQio0=
=ODbR
-----END PGP SIGNATURE-----

--ReaqsoxgOBHFXBhH--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC