SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Scoadmin Vendors:   Caldera/SCO
(Caldera Issues Fix for OpenServer) Scoadmin Administration Utility for SCO Unixware Allows Local Users to Overwrite the Contents of Files on the System
SecurityTracker Alert ID:  1004399
SecurityTracker URL:  http://securitytracker.com/id/1004399
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 29 2002
Impact:   Denial of service via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   Strategic Reconnaissance Team released an advisory for SCO's Scoadmin administration utility, noting that it allows local users to cause the contents of files on the system to be overwritten.

Scoadmin reportedly makes poor use of /tmp temporary files, using predictable file names.

A local user can link a file on the system (such as /etc/passwd) with a certain temporary file, using a command such asd: ln -s /etc/passwd /tmp/tclerror.1195.log

When a root user runs scoadmin from xwindows, the contents of the /etc/passwd file will be overwritten with a garbage file.

It is reported that for this to work, it is necessary to force an error condition. One way of doing this is to stop xm_vtcld from opening, such as by creating a file where it wants its socket. As a normal user: touch /tmp/5111_342.0

Then, when a root user executes scoadmin, the user will get an error and overwrite the password file.

The vendor has reportedly been notified.

Impact:   A local user can cause the contents of files on the system to be overwritten.
Solution:   The vendor has released a fix for OpenServer.

For OpenServer 5.0.5:

Location of Fixed Binaries:

ftp://stage.caldera.com/pub/security/openserver/CSSA-2002-SCO.22

Verification checksum:

MD5 (VOL.000.000) = 814cc4af8e653baf220f2a94b23ff741

To install:

Upgrade the affected binaries with the following commands:

1) Download the VOL* files to the /tmp directory

Run the custom command, specify an install from media images, and specify the /tmp directory as the location of the images.


For OpenServer 5.0.6:

Location of Fixed Binaries:

ftp://stage.caldera.com/pub/security/openserver/CSSA-2002-SCO.22

Verification checksum:

MD5 (VOL.000.000) = 814cc4af8e653baf220f2a94b23ff741

To install:

Upgrade the affected binaries with the following commands:

1) Download the VOL* files to the /tmp directory

Run the custom command, specify an install from media images, and specify the /tmp directory as the location of the images.

Vendor URL:  www.caldera.com/support/security/index.html (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  UNIX (Open UNIX-SCO)
Underlying OS Comments:  OpenServer 5.0.5, 5.0.6

Message History:   This archive entry is a follow-up to the message listed below.
May 23 2001 Scoadmin Administration Utility for SCO Unixware Allows Local Users to Overwrite the Contents of Files on the System



 Source Message Contents

Subject:  Security Update: [CSSA-2002-SCO.22] OpenServer 5.0.5 OpenServer 5.0.6 : scoadmin command creates temporary files insecurely


--L6iaP+gRLNZHKoI4
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

To: bugtraq@securityfocus.com announce@lists.caldera.com scoannmod@xenitec.on.ca

______________________________________________________________________________

		Caldera International, Inc.  Security Advisory

Subject:		OpenServer 5.0.5 OpenServer 5.0.6 : scoadmin command creates temporary files insecurely
Advisory number: 	CSSA-2002-SCO.22
Issue date: 		2002 May 28
Cross reference:
______________________________________________________________________________


1. Problem Description

	The scoadmin command creates and uses temporary files
	insecurely. Names can be predicted, and spoofed with symbolic
	links.


2. Vulnerable Supported Versions

	System				Binaries
	----------------------------------------------------------------------
	OpenServer 5.0.5		/etc/sysadm.d/lib/sysadm.tlib
					/etc/sysadm.d/lib/sysadm.tndx
	OpenServer 5.0.6		/etc/sysadm.d/lib/sysadm.tlib
					/etc/sysadm.d/lib/sysadm.tndx


3. Solution

	The proper solution is to install the latest packages.


4. OpenServer 5.0.5

	4.1 Location of Fixed Binaries

	ftp://stage.caldera.com/pub/security/openserver/CSSA-2002-SCO.22


	4.2 Verification

	MD5 (VOL.000.000) = 814cc4af8e653baf220f2a94b23ff741

	md5 is available for download from
		ftp://stage.caldera.com/pub/security/tools/


	4.3 Installing Fixed Binaries

	Upgrade the affected binaries with the following commands:

	1) Download the VOL* files to the /tmp directory

	Run the custom command, specify an install from media images,
	and specify the /tmp directory as the location of the images.


5. OpenServer 5.0.6

	5.1 Location of Fixed Binaries

	ftp://stage.caldera.com/pub/security/openserver/CSSA-2002-SCO.22


	5.2 Verification

	MD5 (VOL.000.000) = 814cc4af8e653baf220f2a94b23ff741

	md5 is available for download from
		ftp://stage.caldera.com/pub/security/tools/


	5.3 Installing Fixed Binaries

	Upgrade the affected binaries with the following commands:

	1) Download the VOL* files to the /tmp directory

	Run the custom command, specify an install from media images,
	and specify the /tmp directory as the location of the images.


6. References

	Specific references for this advisory:
		none

	Caldera UNIX security resources:
		http://stage.caldera.com/support/security/

	Caldera OpenLinux security resources:
		http://www.caldera.com/support/security/index.html

	This security fix closes Caldera incidents sr847944,
	SCO-1-233, erg711739.


7. Disclaimer

	Caldera International, Inc. is not responsible for the
	misuse of any of the information we provide on this website
	and/or through our security advisories. Our advisories are
	a service to our customers intended to promote secure
	installation and use of Caldera products.


8. Acknowledgements

	Kevin Finisterre (dotslash@snosoft.com) discovered and
	researched this vulnerability.

______________________________________________________________________________

--L6iaP+gRLNZHKoI4
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (SCO_SV)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAjz0Db4ACgkQaqoBO7ipriHmigCbBakK7MvfrBLr0P9OZgAYr3Xo
IqcAmwT7JNoHg+T6TDHctXlXkZV4Bpjz
=FM2r
-----END PGP SIGNATURE-----

--L6iaP+gRLNZHKoI4--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC