SCO OpenServer Security Status

From: Michael Almond (mikeaat_private)
Date: Mon Dec 20 1999 - 13:45:57 PST

Next message: Ussr Labs: "Remote D.o.S Attack in DNS PRO v5.7 WinNT From FBLI Software"

Previous message: Rob Jones: "Re: procmail / Sendmail - five bugs"
Next in thread: Brock Tellier: "Re: SCO OpenServer Security Status"
Reply: Brock Tellier: "Re: SCO OpenServer Security Status"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Here is SCO OpenServer's status regarding the recent (and some
not so recent) BUGTRAQ postings:

UnixWare pkg* command exploits
	OpenServer is not vulnerable in exactly the same way via
	dacread privilege  but vulnerabilities exist through
	buffer overflows - we're working on fixing them.

UnixWare coredumps following symlinks
     	OpenServer does not have same exact vulnerability wrt s[ug]id
	programs allowed to dump core but but there are vulnerabilities
	with programs that were s[ug]id and have relaxed it and general
	issues of coredumping on symlinked names - we're working on
	fixing both issues.

Fundamental flaw in UnixWare 7 security
	OpenServer has a different security model to UW7 so this is not
	applicable.

UnixWare read/modify users' mail (/var/spool/mail)
	This is also not applicable on OpenServer.  OpenServer's equivalent
	is /usr/spool/mail which has 1777 perms (world-writable, but sticky
      so only owner can delete files).  The local delivery agent will
	not deliver to a file not owned by the recipient; will not follow
	symlinks or write to a file with multiple names (hard links);
	and is designed to avoid race conditions.

UnixWare and the dacread permission
 	OpenServer has a different security model to UW7 so this is not
 	applicable.

UnixWare gain root with non-su/gid binaries: xauto
 	Not applicable to OpenServer.


We are working on the first two vulnerabilities and will have fixes
available by December 31st.

In addition to the first two vulnerabilities, we are also putting the
finishing touches on another large collection of previously reported
OpenServer vulnerabilities (and vulnerabilities we discovered ourselves)
which will be available by December 25th.  The current contents include
(but will not be limited to):

  1. Buffer overflows in:

    /usr/mmdf/chans/smtpsrvr
    /etc/killall
    /etc/popper
    /usr/bin/mscreen
    /usr/bin/rlogin
    /bin/su
    /usr/lib/sysadm/termsh
    /usr/lib/libX11.so.5.0
    /usr/lib/libXt.so.5.0
    /usr/lib/libXmu.so.5.0
    /usr/lib/libXaw.so.5.0
    /usr/lib/libX11.a
    /usr/lib/libXt.a
    /usr/lib/libXmu.a
    /usr/lib/libXaw.a
    /usr/bin/X11/xterm
    /usr/bin/X11/xload
    /usr/bin/X11/scoterm
    /usr/bin/X11/scolock
    /usr/bin/X11/scosession
    /usr/bin/X11/scologin
    /usr/lpd/remote/rlpstat	
    /usr/lpd/remote/cancel
    /usr/lpd/remote/lpmove


  2. Algorithmic vulnerabilities in:

    /etc/sysadm.d/bin/userOsa:
      Can improperly write to privileged files

    /usr/bin/X11/Xsco:
      Can improperly read privileged files
      (also buffer overflows)

    /bin/hello:
      Can improperly acess privileged devices
      Allows transmission of dangerous characters

    /bin/write:
      Allows transmission of dangerous characters

    /bin/login:
      Corrupt /etc/dialups causes login failure
      Insufficient error checking


Michael Almond
mikeaat_private
SCO OpenServer Team Lead

Next message: Ussr Labs: "Remote D.o.S Attack in DNS PRO v5.7 WinNT From FBLI Software"
Previous message: Rob Jones: "Re: procmail / Sendmail - five bugs"
Next in thread: Brock Tellier: "Re: SCO OpenServer Security Status"
Reply: Brock Tellier: "Re: SCO OpenServer Security Status"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:22:17 PDT