Security Update: [CSSA-2002-SCO.12] Open UNIX, UnixWare 7: rpc.cmsd can be remotely exploited

From: securityat_private
Date: Wed Mar 20 2002 - 15:12:33 PST

Next message: Max Speed: "CSS in ikonboard 3.0.1,3.0.2,3.0.3"

Previous message: Phuong Nguyen: "RE: Hosting Directory Traversal madness..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

To: bugtraqat_private announceat_private scoannmodat_private

___________________________________________________________________________

	    Caldera International, Inc. Security Advisory

Subject:		Open UNIX, UnixWare 7: rpc.cmsd can be remotely exploited
Advisory number: 	CSSA-2002-SCO.12
Issue date: 		2002 March 20
Cross reference:
___________________________________________________________________________


1. Problem Description
	
  1.1 Overview

	The rpc.cmsd command  would overflow  a  buffer under  certain
	circumstances, allowing the possibility of  a  remote  user to
	gain privilege.


  1.2 Detail
  
	The  exploit  code provided by  jGgM  requests  program 100068
	version 4  on UDP  (implemented  by /usr/dt/bin/rpc.cmsd)  and
	then  does a single RPC call  to procedure  21 (rtable_create)
	passing 2 strings, one of which creates a buffer overflow.

	$BASE/server/rtable4.c:_DtCm_rtable_create_4_svc(args)   where
	args is  of type Table_Op_Args_4: 2 client supplied strings as
	args->target and args->new_target. "new_target" is never  used
	and "target" creates the overflow later on.

	_DtCmGetPrefix will overflow its  local variable "buf"  if the
	"sep" parameter that ends the prefix is not present.

	A     secondary    problem    may    also    occur     because
	_DtCm_rtable_create_4_svc does  not make sure that  the length
	of args->target is < BUFSIZ.


2. Vulnerable Supported Versions

	Operating System	Version		Affected Files
	------------------------------------------------------------------
	UnixWare 7		7.1.1		/usr/dt/bin/rpc.cmsd
	Open UNIX		8.0.0		/usr/dt/bin/rpc.cmsd


3. Workaround

	None.


4. UnixWare 7, Open UNIX 8

  4.1 Location of Fixed Binaries

	ftp://stage.caldera.com/pub/security/openunix/CSSA-2002-SCO.12/


  4.2 Verification

	MD5 (erg711942b.Z) = 64d49dcd622cccbb2e7553e2706bc33d


	md5 is available for download from
		ftp://stage.caldera.com/pub/security/tools/


  4.3 Installing Fixed Binaries

	Upgrade the affected binaries with the following commands:

	Download erg711942b.Z to the /var/spool/pkg directory

	# uncompress /var/spool/pkg/erg711942b.Z
	# pkgadd -d /var/spool/pkg/erg711942b


5. References

	Specific references for this advisory:

		none


	Caldera UNIX security resources:

		http://stage.caldera.com/support/security/
		       
	Caldera OpenLinux security resources:

		http://www.caldera.com/support/security/index.html


	This  advisory addresses  Caldera  Security internal incidents
	sr858623, fz519829, erg711942.


6. Disclaimer

	Caldera  International, Inc. is not responsible for the misuse
	of  any of the information  we provide  on  our website and/or
	through our  security advisories. Our advisories are a service
	to  our customers intended to promote  secure installation and
	use of Caldera International products.


7. Acknowledgements

	This  vulnerability was  discovered  and  researched  by  jGgM
	<jggmat_private>.

	 
___________________________________________________________________________

application/pgp-signature attachment: stored

Next message: Max Speed: "CSS in ikonboard 3.0.1,3.0.2,3.0.3"
Previous message: Phuong Nguyen: "RE: Hosting Directory Traversal madness..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Mar 20 2002 - 23:26:38 PST