Solaris Pluggable Authentication Module Local Overflow

1997-04-27T00:00:00
ID OSVDB:8216
Type osvdb
Reporter Cristian Schipor(skipo@sundy.cs.pub.ro)
Modified 1997-04-27T00:00:00

Description

Vulnerability Description

A local buffer overflow exists in Solaris implementation of Pluggable Authentication Module (PAM). PAM performs insufficient bounds checking on arguments resulting in a boundary condition overflow. With a specially crafted request, an unauthorized user could overflow a buffer via the passwd program to gain root access. Under some versions of Solaris, yppasswd and nispasswd are hard links to the passwd program and therefore are also vulnerable.

Solution Description

Patches are available to all Sun customers at http://sunsolve.sun.com

Sun Solaris 2.3: Patch 101318-87 Sun Solaris 2.4 _x86: Patch 101946-43 Sun Solaris 2.4: Patch 101945-49 Sun Solaris 2.5 _x86: Patch 103179-03 Sun Solaris 2.5: Patch 103178-03 Sun Solaris 2.5.1 _x86: Patch 104434-02 Sun Solaris 2.5.1: Patch 104433-03

Short Description

A local buffer overflow exists in Solaris implementation of Pluggable Authentication Module (PAM). PAM performs insufficient bounds checking on arguments resulting in a boundary condition overflow. With a specially crafted request, an unauthorized user could overflow a buffer via the passwd program to gain root access. Under some versions of Solaris, yppasswd and nispasswd are hard links to the passwd program and therefore are also vulnerable.

References:

Vendor Specific Advisory URL Related OSVDB ID: 8217 Other Advisory URL: ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-97.09.Solaris.passwd.buffer.overrun.vul ISS X-Force ID: 7432 CVE-1999-1158 Bugtraq ID: 201