From researchteam@esecurityonline.com Fri May 24 05:27:49 2002 From: researchteam@esecurityonline.com To: vulnwatch@vulnwatch.org, bugtraq@securityfocus.com Cc: ken.williams@ey.com Date: Mon, 20 May 2002 17:20:59 -0500 Subject: [VulnWatch] eSecurityOnline advisory 5063 - Sun AnswerBook2 gettransbitmap buffer overflow vulnerability [The following text is in the "iso-8859-1" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] eSO Security Advisory: 5063 Discovery Date: March 1, 2002 ID: eSO:5063 Title: Sun AnswerBook2 gettransbitmap buffer overflow vulnerability Impact: Remote attackers can execute arbitrary code. Affected Technology: Sun AnswerBook2 1.4, 1.4.1, 1.4.2, 1.4.3 Vendor Status: Vendor notified. Discovered By: Kevin Kotas of the eSecurityOnline Research and Development Team CVE Reference: CAN-2002-0360 Advisory Location: http://www.eSecurityOnline.com/advisories/eSO5063.asp Description: Sun AnswerBook2 is vulnerable to a stack based buffer overflow condition that can allow a remote attacker to execute arbitrary code. The problem is due to the gettransbitmap CGI that comes with AnswerBook2 not correctly performing bounds checking on the filename argument. A remote attacker can create a request that will result in arbitrary code execution with user daemon privileges. Technical Recommendation: Presently, there are no vendor patches available. As a workaround solution, remove access to the gettransbitmap binary. chmod 0000 /gettransbitmap Otherwise, disable AnswerBook2. © 2002 eSecurityOnline LLC. All rights reserved. THE INFORMATION IN THIS VULNERABILITY ALERT IS PROVIDED BY ESECURITYONLINE LLC "AS IS", "WHERE IS", WITH NO WARRANTY OF ANY KIND, AND ESECURITYONLINE LLC HEREBY DISCLAIMS THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. ESECURITYONLINE LLC SHALL HAVE NO LIABILITY FOR ANY DAMAGE, CLAIM OR LOSS RESULTING FROM YOUR USE OF THE INFORMATION CONTAINED IN THIS VULNERABILITY ALERT.