SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   in.rarpd Vendors:   Caldera/SCO
(Caldera Issues Fix for UnixWare/Open UNIX) Re: UNIX 'in.rarpd' Reverse ARP Protocol Daemon May Let Local and Remote Users Gain Root Access on the System
SecurityTracker Alert ID:  1004621
SecurityTracker URL:  http://securitytracker.com/id/1004621
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 25 2002
Impact:   Execution of arbitrary code via local system, Execution of arbitrary code via network, Root access via local system, Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   Several vulnerabilities were reported in the 'in.rarpd' reverse ARP protocol implementation for Sun Solaris and Caldera/SCO UnixWare/Open UNIX (and possibly other UNIX-based systems). A remote or local user can gain root level access on the system.

It is reported that 'in.rarpd' contains three remotely exploitable buffer overflows, two locally exploitable buffer overflows, and two format string flaws.

Regarding the format string bugs, the error() and syserr() functions make syslog() calls based on user-supplied information without supplying the required format strings. As a result, a user can supply a malicious string (for the 'cmdname' variable) containing format string specifiers to cause arbitrary code to be executed by the in.rarpd daemon. The report indicates that these calls can be exploited by remote or local users.

No further details were provided.

[Editor's note: The original report only mentions Sun Solaris. However, Caldera/SCO has confirmed that UnixWare and Open UNIX are also vulnerable. On this basis, it is plausible that other UNIX-based systems are affected.]

Impact:   A remote or local user may be able to execute arbitrary code on the system to gain root access on the system.
Solution:   The vendor has released fixed packages for UnixWare and Open UNIX:

For UnixWare 7.1.1:

Location of Fixed Binaries

ftp://ftp.caldera.com/pub/updates/OpenUNIX/CSSA-2002-SCO.29


Verification

MD5 (erg712062.pkg.Z) = 3c05be0a8197ddd3b6fcd3ac50933508

md5 is available for download from
ftp://ftp.caldera.com/pub/security/tools


Installing Fixed Binaries

Upgrade the affected binaries with the following commands:

Download erg712062.pkg.Z to the /var/spool/pkg directory

# uncompress /var/spool/pkg/erg712062.pkg.Z
# pkgadd -d /var/spool/pkg/erg712062.pkg


For Open UNIX 8.0.0:

Location of Fixed Binaries

ftp://ftp.caldera.com/pub/updates/OpenUNIX/CSSA-2002-SCO.29


Verification

MD5 (erg712062.pkg.Z) = 3c05be0a8197ddd3b6fcd3ac50933508

md5 is available for download from
ftp://ftp.caldera.com/pub/security/tools


Installing Fixed Binaries

Upgrade the affected binaries with the following commands:

Download erg712062.pkg.Z to the /var/spool/pkg directory

# uncompress /var/spool/pkg/erg712062.pkg.Z
# pkgadd -d /var/spool/pkg/erg712062.pkg

Vendor URL:  www.caldera.com/support/security/index.html (Links to External Site)
Cause:   Boundary error, Input validation error
Underlying OS:  UNIX (Open UNIX-SCO)
Underlying OS Comments:  UnixWare 7.1.1, Open UNIX 8.0.0

Message History:   This archive entry is a follow-up to the message listed below.
May 22 2002 UNIX 'in.rarpd' Reverse ARP Protocol Daemon May Let Local and Remote Users Gain Root Access on the System



 Source Message Contents

Subject:  Security Update: [CSSA-2002-SCO.29] UnixWare 7.1.1 Open UNIX 8.0.0 : in.rarpd format string vulnerability in error() and


--rwEMma7ioTxnRzrJ
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

To: bugtraq@securityfocus.com announce@lists.caldera.com scoannmod@xenitec.on.ca

______________________________________________________________________________

		Caldera International, Inc.  Security Advisory

Subject:		UnixWare 7.1.1 Open UNIX 8.0.0 : in.rarpd format string vulnerability in error() and syserr()
Advisory number: 	CSSA-2002-SCO.29
Issue date: 		2002 June 24
Cross reference:
______________________________________________________________________________


1. Problem Description

	The in.rarpd program has several error routines (error()
	and syserr()) that can manipulated by a malicious user to
	compromise the system.


2. Vulnerable Supported Versions

	System				Binaries
	----------------------------------------------------------------------
	UnixWare 7.1.1			/usr/sbin/in.rarpd
	Open UNIX 8.0.0 		/usr/sbin/in.rarpd


3. Solution

	The proper solution is to install the latest packages.


4. UnixWare 7.1.1

	4.1 Location of Fixed Binaries

	ftp://ftp.caldera.com/pub/updates/OpenUNIX/CSSA-2002-SCO.29


	4.2 Verification

	MD5 (erg712062.pkg.Z) = 3c05be0a8197ddd3b6fcd3ac50933508

	md5 is available for download from
		ftp://ftp.caldera.com/pub/security/tools


	4.3 Installing Fixed Binaries

	Upgrade the affected binaries with the following commands:

	Download erg712062.pkg.Z to the /var/spool/pkg directory

	# uncompress /var/spool/pkg/erg712062.pkg.Z
	# pkgadd -d /var/spool/pkg/erg712062.pkg


5. Open UNIX 8.0.0

	5.1 Location of Fixed Binaries

	ftp://ftp.caldera.com/pub/updates/OpenUNIX/CSSA-2002-SCO.29


	5.2 Verification

	MD5 (erg712062.pkg.Z) = 3c05be0a8197ddd3b6fcd3ac50933508

	md5 is available for download from
		ftp://ftp.caldera.com/pub/security/tools


	5.3 Installing Fixed Binaries

	Upgrade the affected binaries with the following commands:

	Download erg712062.pkg.Z to the /var/spool/pkg directory

	# uncompress /var/spool/pkg/erg712062.pkg.Z
	# pkgadd -d /var/spool/pkg/erg712062.pkg


6. References

	Specific references for this advisory:
		none

	Caldera security resources:
		http://www.caldera.com/support/security/index.html

	This security fix closes Caldera incidents sr865148, fz521092,
	erg712062.


7. Disclaimer

	Caldera International, Inc. is not responsible for the
	misuse of any of the information we provide on this website
	and/or through our security advisories. Our advisories are
	a service to our customers intended to promote secure
	installation and use of Caldera products.


8. Acknowledgements

	David Reign <davidreign@hotmail.com> discovered these
	vulnerabilities.

______________________________________________________________________________

--rwEMma7ioTxnRzrJ
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (SCO_SV)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAj0XrbwACgkQaqoBO7ipriFDgQCglJk5/QTHOOFrDNRBAr5Wml4L
al8An0hiuV5Zm49pUl0I/0McRPfZYEar
=mAsD
-----END PGP SIGNATURE-----

--rwEMma7ioTxnRzrJ--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC