eSecurityOnline Security Advisory 2406 - CDE dtprintinfo Help sea rch buffer overflow vulnerability

From: researchteam5at_private
Date: Mon Apr 29 2002 - 12:55:15 PDT

Next message: securityat_private: "Security Update: [CSSA-2002-018.0] Linux: Race condition in fileutils"

Previous message: researchteam5at_private: "eSecurityOnline Security Advisories notes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

eSO Security Advisory:  2406  
Discovery Date:         March 31, 2000 
ID:                     eSO:2406
Title:                  CDE dtprintinfo Help search buffer overflow
                        vulnerability 
Impact:                 Local attackers can gain root level access
Affected Technology:    Solaris 2.4, 2.5, 2.5.1, 2.6, 7, 8 SPARC and x86
                        HP-UX 10.10, 10.20, 10.24, 11.00, 11.04, 11.11
                        IBM AIX 4.3, 4.3.1, 4.3.2, 4.3.3
                        Compaq Tru64 5.1A, 5.1, 5.0A, 4.0G, 4.0F
                        CDE  
Vendor Status:          Patches are available
Discovered By:          Kevin Kotas of the eSecurityOnline Research
                        and Development Team 
CVE Reference:          CAN-2001-0551

Advisory Location:
http://www.eSecurityOnline.com/advisories/eSO2406.asp 

Description:
The CDE dtprintinfo program is vulnerable to a buffer overflow
condition that allows a local attacker to gain root access. The
problem occurs due to insufficient bounds checking in the Volume
search field from the Help section. An attacker can insert a specially
crafted string for the search parameter and gain root privileges.

In the dtprintinfo Help, an Index search function permits querying by
keyword. If a string of appropriate length is inserted into the 
'Entries with' field and a single Help Volume is selected for the
search, an exploitable buffer overflow will occur.  

Technical Recommendation:
Upgrade with the following patches.

Solaris 2.4, 2.5, 2.5.1 SPARC:
105076-04

Solaris 2.4, 2.5, 2.5.1 x86:
105354-04

Solaris 2.6 SPARC:
106242-03

Solaris 2.6 x86:
106243-03

Solaris 7 SPARC:
107178-02

Solaris 7 x86:
107179-02

Solaris 8 SPARC:
108949-04

Solaris 8 x86:
108950-04

IBM AIX:

AIX 4.3.x:
APAR #IY21539

AIX 5.1:
APAR #IY20917

Compaq:
SSRT1-78U
SSRT0788U
SSRT0757U
SSRT-541

HP-UX:
10.10:   PHSS_23355 
10.20:   PHSS_23796 
10.24:   PHSS_24097 
11.00:   PHSS_23797 
11.04:   PHSS_24098 
11.11:   PHSS_24087, PHSS_24091 

Acknowledgements:
eSecurityOnline would like to thank Sun Microsystems and the Sun 
security team for their cooperation in resolving the issue.  

Copyright 2002 eSecurityOnline LLC.  All rights reserved.  

THE INFORMATION IN THIS VULNERABILITY ALERT IS PROVIDED BY 
ESECURITYONLINE LLC "AS IS", "WHERE IS", WITH NO WARRANTY OF ANY KIND,
AND ESECURITYONLINE LLC HEREBY DISCLAIMS THE IMPLIED WARRANTIES OF 
NON-INFRINGEMENT, MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE.  ESECURITYONLINE LLC SHALL HAVE NO LIABILITY FOR ANY DAMAGE,
CLAIM OR LOSS RESULTING FROM YOUR USE OF THE INFORMATION CONTAINED IN
THIS VULNERABILITY ALERT.

Next message: securityat_private: "Security Update: [CSSA-2002-018.0] Linux: Race condition in fileutils"
Previous message: researchteam5at_private: "eSecurityOnline Security Advisories notes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Apr 29 2002 - 18:27:28 PDT