Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Generic)  >   SAS Vendors:   SAS Institute Inc.
(Additional Vulnerabilities Are Reported) Re: SAS Job Spawner Buffer Overflow and Format String Bug Let Local Users Execute Arbitrary Code on the System with Root Privileges and Gain Root Privileges on the System
SecurityTracker Alert ID:  1003406
SecurityTracker URL:
CVE Reference:   CVE-2002-2018   (Links to External Site)
Updated:  Jun 8 2008
Original Entry Date:  Jan 31 2002
Impact:   Execution of arbitrary code via local system, Root access via local system
Exploit Included:  Yes  
Version(s): SAS Job Spawner for Open Systems 8.00
Description:   A vulnerability was reported in the SAS Job Spawner (sastcpd). A local user can obtain root privileges on the system.

In addition to the vulnerability reported by Ministry-of-Peace in the original alert, a new vulnerability has been reported.

The original vulnerability was in passing long command line arguments to sastcpd, causing arbitrary code to be executed with root privileges. See the earlier alert for details.

The newly reported vulnerabilities involve a local user setting an environment variable to a certain value to cause arbitrary code to be executed. It is reported that a local user can set the 'authprog' environment variable which is passed to execve(), allowing the local user to execute arbitrary commands with root privileges. A demonstration exploit script is provided (it is Base64 encoded within the Source Message).

It is also reported that a remote user can cause sastcpd to crash if the 'netencralg' environment variable is set to any value.

All test were run on SunOS 5.8.

Impact:   A local user can execute arbitrary code on the system with root level privileges, giving that user root access on the system.
Solution:   The vendor issued a fix for other SAS Job Spawner vulnerabilities in verion 8.2. It is not clear if these newly reported vulnerabilites are also corrected in version 8.2. If the vendor clarifies, we will update this entry.
Vendor URL: (Links to External Site)
Cause:   Boundary error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any)
Underlying OS Comments:  Tested on SunOS 5.8

Message History:   This archive entry is a follow-up to the message listed below.
Jan 29 2002 SAS Job Spawner Buffer Overflow and Format String Bug Let Local Users Execute Arbitrary Code on the System with Root Privileges and Gain Root Privileges on the System

 Source Message Contents

Subject:  sastcpd 8.0 'authprog' local root vulnerability

Content-Type: multipart/mixed;

Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit


Several environment variable problems exist in the 'SAS Job Spawner for Open Systems version 8.00'. No other releases of the software
 were available to test. Sorry.

authprog vulnerability

The daemon passes a user-defined environment variable, 'authprog', to execve(). This obviously is a problem if sastcpd is setuid.
 A sample 'exploit' is attached.

netencralg vulnerability

I haven't poked at this long enough to determine whether or not it is exploitable. sastcpd segfaults if 'netencralg' is set to any

All test were run on SunOS 5.8.
Both vulnerabilities were discovered with Dave Aitel's/AtStake simple-yet-sexy sharefuzz 1.0.

Content-Type: text/x-sh;
Content-Disposition: attachment;
Content-Transfer-Encoding: base64



Content-Type: application/pgp-signature

Version: GnuPG v1.0.6 (GNU/Linux)




Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC