From researchteam5@esecurityonline.com Fri May 3 03:38:49 2002 From: researchteam5@esecurityonline.com To: vulnwatch@vulnwatch.org, bugtraq@securityfocus.com Cc: ken.williams@ey.com Date: Mon, 29 Apr 2002 14:55:15 -0500 Subject: eSecurityOnline Security Advisory 2406 - CDE dtprintinfo Help sea rch buffer overflow vulnerability eSO Security Advisory: 2406 Discovery Date: March 31, 2000 ID: eSO:2406 Title: CDE dtprintinfo Help search buffer overflow vulnerability Impact: Local attackers can gain root level access Affected Technology: Solaris 2.4, 2.5, 2.5.1, 2.6, 7, 8 SPARC and x86 HP-UX 10.10, 10.20, 10.24, 11.00, 11.04, 11.11 IBM AIX 4.3, 4.3.1, 4.3.2, 4.3.3 Compaq Tru64 5.1A, 5.1, 5.0A, 4.0G, 4.0F CDE Vendor Status: Patches are available Discovered By: Kevin Kotas of the eSecurityOnline Research and Development Team CVE Reference: CAN-2001-0551 Advisory Location: http://www.eSecurityOnline.com/advisories/eSO2406.asp Description: The CDE dtprintinfo program is vulnerable to a buffer overflow condition that allows a local attacker to gain root access. The problem occurs due to insufficient bounds checking in the Volume search field from the Help section. An attacker can insert a specially crafted string for the search parameter and gain root privileges. In the dtprintinfo Help, an Index search function permits querying by keyword. If a string of appropriate length is inserted into the 'Entries with' field and a single Help Volume is selected for the search, an exploitable buffer overflow will occur. Technical Recommendation: Upgrade with the following patches. Solaris 2.4, 2.5, 2.5.1 SPARC: 105076-04 Solaris 2.4, 2.5, 2.5.1 x86: 105354-04 Solaris 2.6 SPARC: 106242-03 Solaris 2.6 x86: 106243-03 Solaris 7 SPARC: 107178-02 Solaris 7 x86: 107179-02 Solaris 8 SPARC: 108949-04 Solaris 8 x86: 108950-04 IBM AIX: AIX 4.3.x: APAR #IY21539 AIX 5.1: APAR #IY20917 Compaq: SSRT1-78U SSRT0788U SSRT0757U SSRT-541 HP-UX: 10.10: PHSS_23355 10.20: PHSS_23796 10.24: PHSS_24097 11.00: PHSS_23797 11.04: PHSS_24098 11.11: PHSS_24087, PHSS_24091 Acknowledgements: eSecurityOnline would like to thank Sun Microsystems and the Sun security team for their cooperation in resolving the issue. Copyright 2002 eSecurityOnline LLC. All rights reserved. THE INFORMATION IN THIS VULNERABILITY ALERT IS PROVIDED BY ESECURITYONLINE LLC "AS IS", "WHERE IS", WITH NO WARRANTY OF ANY KIND, AND ESECURITYONLINE LLC HEREBY DISCLAIMS THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. ESECURITYONLINE LLC SHALL HAVE NO LIABILITY FOR ANY DAMAGE, CLAIM OR LOSS RESULTING FROM YOUR USE OF THE INFORMATION CONTAINED IN THIS VULNERABILITY ALERT.