SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Xsco Vendors:   Caldera/SCO
(Caldera Issues Fix for Open UNIX/UnixWare) Caldera/SCO OpenServer Xsco Utility Heap Overflow May Let Local Users Gain Root Privileges
SecurityTracker Alert ID:  1005142
SecurityTracker URL:  http://securitytracker.com/id/1005142
CVE Reference:   CVE-2002-0987, CVE-2002-0988   (Links to External Site)
Date:  Aug 27 2002
Impact:   Execution of arbitrary code via local system, Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A heap overflow has been reported in Caldera's (SCO's) OpenServer Xsco utility. A local user may be able to obtain root level privileges on the system.

Strategic Reconnaissance Team issued an advisory warning that the SCO OpenServer Xsco application contains the same heap overflow that was previously reported in Xsun.

By default, the SCO OpenServer Xsco application is installed with set user id (suid) root privileges. A local user could exploit this overflow to gain root access on the system.

A demonstration exploit transcript is provided:

bash-2.03$ ./Xsco :1 -co <b0f here> -crt /dev/console

Tue Jun 11 10:32:59 2002
Couldn't open RGB_DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
...
Segmentation Fault

The vendor has reportedly been notified.

Impact:   A local user may be able to execute arbitrary shell code with root privileges to gain root access on the system.
Solution:   Caldera has released a fix.

For Open UNIX 8.0.0:

Location of Fixed Binaries

ftp://ftp.sco.com/pub/updates/OpenUNIX/CSSA-2002-SCO.38

Verification

MD5 (erg711819b.pkg.Z) = 8c06d16b46b7895c545bcdb7c23475d0

Installing Fixed Binaries

Upgrade the affected binaries with the following commands:

Download erg711819b.pkg.Z to the /var/spool/pkg directory

# uncompress /var/spool/pkg/erg711819b.pkg.Z
# pkgadd -d /var/spool/pkg/erg711819b.pkg


For UnixWare 7.1.1:

Location of Fixed Binaries

ftp://ftp.sco.com/pub/updates/OpenUNIX/CSSA-2002-SCO.38

Verification

MD5 (erg711819b.pkg.Z) = 8c06d16b46b7895c545bcdb7c23475d0

Installing Fixed Binaries

Upgrade the affected binaries with the following commands:

Download erg711819b.pkg.Z to the /var/spool/pkg directory

# uncompress /var/spool/pkg/erg711819b.pkg.Z
# pkgadd -d /var/spool/pkg/erg711819b.pkg

Vendor URL:  www.caldera.com/support/security/index.html (Links to External Site)
Cause:   Boundary error
Underlying OS:  UNIX (Open UNIX-SCO)
Underlying OS Comments:  Open UNIX 8.0.0, UnixWare 7.1.1

Message History:   This archive entry is a follow-up to the message listed below.
Jun 11 2002 Caldera/SCO OpenServer Xsco Utility Heap Overflow May Let Local Users Gain Root Privileges



 Source Message Contents

Subject:  Security Update: [CSSA-2002-SCO.38] Open UNIX 8.0.0 UnixWare 7.1.1 : X server insecure popen and buffer overflow


--d6Gm4EdcadzBjdND
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

To: bugtraq@securityfocus.com announce@lists.caldera.com scoannmod@xenitec.on.ca full-disclosure@lists.netsys.com

______________________________________________________________________________

			SCO Security Advisory

Subject:		Open UNIX 8.0.0 UnixWare 7.1.1 : X server insecure popen and buffer overflow
Advisory number: 	CSSA-2002-SCO.38
Issue date: 		2002 August 26
Cross reference:
______________________________________________________________________________


1. Problem Description

	The X server did not drop privilege before invoking xkbcomp
	or other external commands. In addition, there was a buffer
	overflow in the same area of the code.


2. Vulnerable Supported Versions

	System				Binaries
	----------------------------------------------------------------------
	Open UNIX 8.0.0			/usr/X/bin/Xsco
	UnixWare 7.1.1			/usr/X/bin/Xsco


3. Solution

	The proper solution is to install the latest packages.


4. Open UNIX 8.0.0

	4.1 Location of Fixed Binaries

	ftp://ftp.sco.com/pub/updates/OpenUNIX/CSSA-2002-SCO.38


	4.2 Verification

	MD5 (erg711819b.pkg.Z) = 8c06d16b46b7895c545bcdb7c23475d0

	md5 is available for download from
		ftp://ftp.sco.com/pub/security/tools


	4.3 Installing Fixed Binaries

		Upgrade the affected binaries with the following commands:

	Download erg711819b.pkg.Z to the /var/spool/pkg directory

	# uncompress /var/spool/pkg/erg711819b.pkg.Z
	# pkgadd -d /var/spool/pkg/erg711819b.pkg


5. UnixWare 7.1.1

	5.1 Location of Fixed Binaries

	ftp://ftp.sco.com/pub/updates/OpenUNIX/CSSA-2002-SCO.38


	5.2 Verification

	MD5 (erg711819b.pkg.Z) = 8c06d16b46b7895c545bcdb7c23475d0

	md5 is available for download from
		ftp://ftp.sco.com/pub/security/tools


	5.3 Installing Fixed Binaries

		Upgrade the affected binaries with the following commands:

	Download erg711819b.pkg.Z to the /var/spool/pkg directory

	# uncompress /var/spool/pkg/erg711819b.pkg.Z
	# pkgadd -d /var/spool/pkg/erg711819b.pkg


6. References

	Specific references for this advisory:
		http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0987
		http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0988
		http://marc.theaimsgroup.com/?l=bugtraq&m=88653528226228&w=2

	SCO security resources:
		http://www.sco.com/support/security/index.html

	This security fix closes SCO incidents sr850806, fz518676,
	erg711819.


7. Disclaimer

	SCO is not responsible for the misuse of any of the information
	we provide on this website and/or through our security
	advisories. Our advisories are a service to our customers
	intended to promote secure installation and use of SCO
	products.


8. Acknowledgements

	This vulnerability was discovered and researched by Olaf
	Kirch (okir@suse.de).

______________________________________________________________________________

--d6Gm4EdcadzBjdND
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (SCO_SV)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAj1qvW8ACgkQaqoBO7ipriEviACgnABOxQ9dE3+EkABUWaMyGoiH
/zcAnjpAFc9j5DzZvmAkGLd1zDfuT/c+
=mj2y
-----END PGP SIGNATURE-----

--d6Gm4EdcadzBjdND--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC