Sun Solaris dtmail contains a format string vulnerability

2004-08-25T00:00:00
ID VU:928598
Type cert
Reporter CERT
Modified 2005-05-16T15:00:00

Description

Overview

A vulnerability in the way dtmail handles command-line arguments could allow an attacker to execute arbitrary code.

Description

The dtmail program is a mail user agent (MUA) for the Common Desktop Environment (CDE). It provides a graphical user interface for reading, sending, and managing email. There is a vulnerability in the way Sun Solaris dtmail handles command-line arguments. By supplying a specially crafted argv[0] value containing a format string specifier, a local user could execute arbitrary code with privileges of the vulnerable process.


Impact

A local user could execute arbitrary code with privileges of the vulnerable process, typically group mail. With these privileges, the user would have the ability to read, modify, and delete email of other users.


Solution

Apply patch

Sun has issued an advisory which addresses this issue. For more information on patches available for your system, please refer to Sun Security Alert 57627.


Remove set-group-ID bit

Remove the the "set-group-ID" bit from dtmail by doing the following:

chmod 0555 /usr/dt/bin/dtmail

Note: This may cause users to be unable to read NFS mounted mailboxes.


Vendor Information

928598

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Vendor has issued information

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Avaya Affected

Updated: May 16, 2005

Status

Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Avaya has published Avaya Security Advisory ASA-2005-110 in response to this issue. Users of the Avaya Call Management System (CMS) and Interactive Reponse (IR) products are encouraged to review this bulletin and apply the patches and workarounds it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sun Microsystems Inc. Affected

Updated: August 25, 2004

Status

Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please refer to Sun Security Alert 57627.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CVSS Metrics

Group | Score | Vector
---|---|---
Base | |
Temporal | |
Environmental | |

References

Acknowledgements

This vulnerability was reported by iDEFENSE Labs.

This document was written by Damon Morda.

Other Information

CVE IDs: | CVE-2004-0800
---|---
Severity Metric: | 5.63
Date Public: | 2004-08-23
Date First Published: | 2004-08-25
Date Last Updated: | 2005-05-16 15:00 UTC
Document Revision: | 20