Well, Sun replied after about a week, week and a half. Not altogether great, but there are many companies who are much worse. N.B. sections set of in []'s weren't in the original, and are added for clarification or other explanation. ---------- Forwarded message ---------- Date: Thu, 4 Mar 1999 17:34:41 -0800 (PST) From: Chok Poh <Chok.Pohat_private> To: jstricklat_private Subject: buffer overflow in /usr/bin/cancel Hi Josh, Thank you for your report on /usr/bin/cancel. There is a buffer overflow as you had reported. However /usr/bin/cancel in Solaris 2.5.1 is not setuid root. [uh... I never told him it was. I'm not sure where that came from. HOWEVER, I did tell him it IS in 2.6] /usr/bin/cancel is also not setuid root in Solaris versions prior to 2.5.1. [I didn't have access to any prior to 2.5.1, or I would have checked this out] This buffer overflow was fixed in Solaris 7 before it was released. [let's hear it for proactive code auditing!] If you are also using Solaris 2.6, please install patch 106235-03. The patch will be available at the following URL in about 4 weeks: http://sunsolve.sun.com/sunsolve/pubpatches/patches.html [4 weeks!? Um. o.k.] [When I was checking out this problem (i.e., overflowing the buffer ;), I kept on getting the following notice: ] > UX:cancel: ERROR: Can't send message to the LP print service. > TO FIX: The LP print service apparently has been > stopped. Get help from your system > administrator. We are investigating the error message. Our tests showed that the LP was still up and running. [not sure what was up w/ that... I guess they aren't either] Thanks, Chok __________________________________________________________________________ Chok Poh Sun Security Coordination Team Sun Microsystems, Inc. email: security-alertat_private __________________________________________________________________________ [ It seems that this is not an exploitable condition (2.6, remember, is the only version that is suid, so this is what I'm speaking of), as only i and o registers are mangled, and not pc. However, it is disconcerting that overflow problems with lpr were fixed long ago, but similar problems with other _similar_ programs like lpstat and cancel were not audited at the same time. This kind of makes me wonder what other lp related suid progs may have buffer overflows in them? In any event, be sure to chmod cancel now if you happen to run 2.6, and get the patch when it comes out a month from now. On another note, if the source were available, one could patch it him/herself, and have a fully functional _secure_ version of cancel in far less than 4 weeks. This is not meant as a Sun-bashing session, Sun has come up w/ some truly wonderful things (CDE, for example) that I think are great (would be better if it was free like KDE ;-) ). However, allocating buffers as big or even bigger than 1000 bytes for usernames (who has a 1000 byte username?) without doing any bounds checking is, to me, inexcusable.] shameless plug: Hickcon, a conference of the Midsouth, will be held for the first time in Memphis, TN this summer. If you are interested in attending speaking, or advertising at this con, please contact either myself or cnwav. Events will include lectures, CTF contest, a coding contest, and a large dinner party is planned for Saturday night. The price will be about $50, and it will last from friday night until Sunday morning. More information is available at http://www.hickcon.org -Josh a.k.a. tmbg of irc dalnet Please reply to this address, jstricklat_private to contact me. For cnwav, please use cnwavat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:38:09 PDT