SCO 5.0.6 issues (lpforms)

2001-03-28T00:00:00
ID SECURITYVULNS:DOC:1434
Type securityvulns
Reporter Securityvulns
Modified 2001-03-28T00:00:00

Description

====================================================================== Strategic Reconnisiance Team Security Advisory(SRT2001-06) Topic: SCO 5.0.6 issues (lpforms) Vendor: SCO Release Date: 03/27/01 ====================================================================== .: Description SCO OpenServer 5.0.6 ships with suid bin /opt/K/SCO/Unix/5.0.6Ga/usr/lib/lpforms. lpforms has poor handling of command line arguments resulting in a buffer overflow. lpforms will core dump if fed more than 6240 chars.

.: Impact /opt/K/SCO/Unix/5.0.6Ga/usr/lib/lpforms perl -e 'print "A" x 7000' Memory fault - core dumped

This problem makes it possible to overwrite memory space of the running process, and potentially execute code with the inherited privileges of bin.

.: Workaround

.: Systems Affected SCO OpenServer 5.0.6 upgrade from 5.0.x and 5.0.6 fresh install. chmod -s /opt/K/SCO/Unix/5.0.6Ga/usr/lib/lpforms

.: Proof of Concept To be released at a later time.

.: Vendor Status Vendor was notified on 03/22/01. Vendor lab tests confirmed the issue. Patch status is unknown.

.: Credit Kevin Finisterre dotslash@snosoft.com, krfinisterre@checkfree.com

====================================================================== ©Copyright 2001 Secure Network Operations , Inc. All Rights Reserved. Strategic Reconnisiance Team | recon@snosoft.com http://recon.snosoft.com | http://www.snosoft.com