From researchteam5@esecurityonline.com Fri May 3 03:38:57 2002 From: researchteam5@esecurityonline.com To: vulnwatch@vulnwatch.org, bugtraq@securityfocus.com Cc: ken.williams@ey.com Date: Mon, 29 Apr 2002 15:14:05 -0500 Subject: eSecurityOnline Security Advisory 3761 - Sun Solaris lbxproxy dis play name buffer overflow vulnerability eSO Security Advisory: 3761 Discovery Date: July 5, 2001 ID: eSO:3761 Title: Sun Solaris lbxproxy display name buffer overflow vulnerability Impact: Local attackers can gain group root privileges Affected Technology: Sun Solaris 8 x86 Vendor Status: Vendor notified Discovered By: Kevin Kotas of the eSecurityOnline Research and Development Team CVE Reference: CAN-2002-0090 Advisory Location: http://www.eSecurityOnline.com/advisories/eSO3761.asp Description: Sun Solaris lbxproxy is vulnerable to a buffer overflow condition that can allow an attacker to execute arbitrary code. The overflow occurs due to insufficient bounds checking on the display command line option. A display name can be given that, when processed, will alter program execution. Technical Recommendation: As a workaround solution, remove the setgid bit from the program. chmod -s /usr/openwin/bin/lbxproxy Copyright 2002 eSecurityOnline LLC. All rights reserved. THE INFORMATION IN THIS VULNERABILITY ALERT IS PROVIDED BY ESECURITYONLINE LLC "AS IS", "WHERE IS", WITH NO WARRANTY OF ANY KIND, AND ESECURITYONLINE LLC HEREBY DISCLAIMS THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. ESECURITYONLINE LLC SHALL HAVE NO LIABILITY FOR ANY DAMAGE, CLAIM OR LOSS RESULTING FROM YOUR USE OF THE INFORMATION CONTAINED IN THIS VULNERABILITY ALERT. From cmr@iisc.com Fri May 3 03:40:23 2002 From: "Charles M. Richmond" To: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org Date: Wed, 01 May 2002 08:34:13 -0400 Subject: Re: eSecurityOnline Security Advisory 3761 - Sun Solaris lbxproxy dis play name buffer overflow vulnerability It looks like this buffer overflow is also in the Sparc versions. Solaris 8 - Patch-ID# 108652-51 Solaris 8x86 - Patch-ID# 108653-41 There are also Solaris 7 patches available. 107654-09 (x86 107655-09) which in '-08' addressed a buffer overflow issue that affected suid/sgid X programs. > eSO Security Advisory: 3761 > Discovery Date: July 5, 2001 > ID: eSO:3761 > Title: Sun Solaris lbxproxy display name buffer > overflow vulnerability > Impact: Local attackers can gain group root privileges > Affected Technology: Sun Solaris 8 x86 > Vendor Status: Vendor notified > Discovered By: Kevin Kotas of the eSecurityOnline Research > and Development Team > CVE Reference: CAN-2002-0090 > > Advisory Location: > http://www.eSecurityOnline.com/advisories/eSO3761.asp *********************************************************************** * Charles Richmond Integrated International Systems Corporation * * cmr@iisc.com cmr@acm.org cmr@shore.net http://www.iisc.com * * UNIX Internals, I18N, L10N, X, Realtime Imaging, and Custom S/W * * 131 Bishop's Forest Drive , Waltham , Ma. USA 02452 * * (781) 647 2269 FAX (781) 647 3665 Cellular (781) 389 9777 * ***********************************************************************