From security@caldera.com Thu Mar 21 02:41:51 2002 From: security@caldera.com To: bugtraq@securityfocus.com, announce@lists.caldera.com, scoannmod@xenitec.on.ca Date: Wed, 20 Mar 2002 15:12:33 -0800 Subject: Security Update: [CSSA-2002-SCO.12] Open UNIX, UnixWare 7: rpc.cmsd can be remotely exploited To: bugtraq@securityfocus.com announce@lists.caldera.com scoannmod@xenitec.on.ca ___________________________________________________________________________ Caldera International, Inc. Security Advisory Subject: Open UNIX, UnixWare 7: rpc.cmsd can be remotely exploited Advisory number: CSSA-2002-SCO.12 Issue date: 2002 March 20 Cross reference: ___________________________________________________________________________ 1. Problem Description 1.1 Overview The rpc.cmsd command would overflow a buffer under certain circumstances, allowing the possibility of a remote user to gain privilege. 1.2 Detail The exploit code provided by jGgM requests program 100068 version 4 on UDP (implemented by /usr/dt/bin/rpc.cmsd) and then does a single RPC call to procedure 21 (rtable_create) passing 2 strings, one of which creates a buffer overflow. $BASE/server/rtable4.c:_DtCm_rtable_create_4_svc(args) where args is of type Table_Op_Args_4: 2 client supplied strings as args->target and args->new_target. "new_target" is never used and "target" creates the overflow later on. _DtCmGetPrefix will overflow its local variable "buf" if the "sep" parameter that ends the prefix is not present. A secondary problem may also occur because _DtCm_rtable_create_4_svc does not make sure that the length of args->target is < BUFSIZ. 2. Vulnerable Supported Versions Operating System Version Affected Files ------------------------------------------------------------------ UnixWare 7 7.1.1 /usr/dt/bin/rpc.cmsd Open UNIX 8.0.0 /usr/dt/bin/rpc.cmsd 3. Workaround None. 4. UnixWare 7, Open UNIX 8 4.1 Location of Fixed Binaries ftp://stage.caldera.com/pub/security/openunix/CSSA-2002-SCO.12/ 4.2 Verification MD5 (erg711942b.Z) = 64d49dcd622cccbb2e7553e2706bc33d md5 is available for download from ftp://stage.caldera.com/pub/security/tools/ 4.3 Installing Fixed Binaries Upgrade the affected binaries with the following commands: Download erg711942b.Z to the /var/spool/pkg directory # uncompress /var/spool/pkg/erg711942b.Z # pkgadd -d /var/spool/pkg/erg711942b 5. References Specific references for this advisory: none Caldera UNIX security resources: http://stage.caldera.com/support/security/ Caldera OpenLinux security resources: http://www.caldera.com/support/security/index.html This advisory addresses Caldera Security internal incidents sr858623, fz519829, erg711942. 6. Disclaimer Caldera International, Inc. is not responsible for the misuse of any of the information we provide on our website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of Caldera International products. 7. Acknowledgements This vulnerability was discovered and researched by jGgM . ___________________________________________________________________________ [Part 2, Application/PGP-SIGNATURE 245bytes] [Unable to print this part]