sastcpd 8.0 'authprog' local root vulnerability

From: rpc (rpcat_private)
Date: Wed Jan 30 2002 - 22:40:58 PST

Next message: Gavin Lowe: "RE: Long path exploit on NTFS"

Previous message: Root Extractor: "[ WWWThreads, UBBThreads ] Security Hole in upload system"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

Several environment variable problems exist in the 'SAS Job Spawner for Open Systems version 8.00'. No other releases of the software were available to test. Sorry.

authprog vulnerability
----------------------

The daemon passes a user-defined environment variable, 'authprog', to execve(). This obviously is a problem if sastcpd is setuid. A sample 'exploit' is attached.

netencralg vulnerability
------------------------

I haven't poked at this long enough to determine whether or not it is exploitable. sastcpd segfaults if 'netencralg' is set to any value.

All test were run on SunOS 5.8.
Both vulnerabilities were discovered with Dave Aitel's/AtStake simple-yet-sexy sharefuzz 1.0.

cheers,
--rpc

text/x-sh attachment: authme.sh

application/pgp-signature attachment: stored

Next message: Gavin Lowe: "RE: Long path exploit on NTFS"
Previous message: Root Extractor: "[ WWWThreads, UBBThreads ] Security Hole in upload system"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jan 30 2002 - 15:05:58 PST