Bugtraq mailing list archives
[Fwd: Failed mail]
From: KF <dotslash () snosoft com>
Date: Tue, 02 Oct 2001 09:07:22 -0400
Well I tried to mail this to the SCO / Caldera security aliases but they keep bouncing back so I will send it here instead... this is regarding the recent DT overflows on OpenUnix8. -KF -------- Original Message -------- Subject: Failed mail Date: Mon, 1 Oct 2001 17:08:31 PDT From: MMDF Mail System <mmdf () sco COM> To: dotslash () snosoft com Trouble sending mail on sco.sco.COM: ============ Transcript follows ============ (USER) Unknown user name in "tigger () sco com" (USER) Unknown user name in "sco-security () sco com" Submit error: No valid addresses ============== Message follows ============= Received: from clmboh1-smtp3.columbus.rr.com(65.24.0.112) via SMTP by sco.ca.caldera.COM, id smtpdAAAa006kA; Mon Oct 1 17:08:28 2001 Received: from osxinsightrrcom (dhcp065-024-239-073.insight.rr.com [65.24.239.73]) by clmboh1-smtp3.columbus.rr.com (8.11.2/8.11.2) with ESMTP id f920XDR13482; Mon, 1 Oct 2001 20:33:13 -0400 (EDT) Message-Id: <200110020033.f920XDR13482 () clmboh1-smtp3 columbus rr com> Date: Sun, 30 Sep 2001 20:36:19 -0700 From: KF <dotslash () snosoft com> Content-Type: text/plain; format=flowed; charset=us-ascii X-Mailer: Apple Mail (2.388) Cc: sco-security () sco com To: tigger () sco com Mime-Version: 1.0 (Apple Message framework v388) Content-Transfer-Encoding: 7bit Subject: SECURITY ISSUE in DT YOU MISSED A COUPLE BINARIES. Begin forwarded message:
From: MAILER-DAEMON () caldera co <sco-security () caldera com>: Sorry, no mailbox here by that name. (#5.1.1)
Subject: Re: Security Update: [CSSA-2001-SCO.22] Open Unix, UnixWare 7: dtprintinfo environment buffer overflow Hey guys I installed OpenUnix again a few days ago and had a few minutes on it before I rm -rf'd it to make a dual boot box... I was able to make ALL suid / sgid binaries in the dt bin segfault (except for dtmail) with a long $HOME or $PATH or combination of the two... off the top of my head dtterm was one of them for sure. Also the /usr/sbin/recon binary segfaulted very similar to the OpenServer version. Just a heads up sorry I didn't think about it sooner. -KF On Monday, October 1, 2001, at 11:08 AM, sco-security () caldera com wrote:To: bugtraq () securityfocus com security- announce () lists securityportal com announce () lists caldera com scoannmod () xenitec on ca ___________________________________________________________________________ Caldera International, Inc. Security Advisory Subject: Open Unix, UnixWare 7: dtprintinfo environment buffer overflow Advisory number: CSSA-2001-SCO.22 Issue date: 2001 October 1 Cross reference: ___________________________________________________________________________ 1. Problem Description Very long environment variables will cause the dtprintinfo command to overflow a buffer. This could be used by an unauthorized user to gain privilege. 2. Vulnerable Versions Operating System Version Affected Files ------------------------------------------------------------------ UnixWare 7 All /usr/dt/bin/dtprintinfo Open Unix 8.0.0 /usr/dt/bin/dtprintinfo 3. Workaround None. 4. UnixWare 7 4.1 Location of Fixed Binaries ftp://stage.caldera.com/pub/security/openunix/CSSA-2001-SCO.22/ 4.2 Verification md5 checksums: e726067eba0107ac5efd8c1fdb141b0d dtprintinfo.Z md5 is available for download from ftp://stage.caldera.com/pub/security/tools/ 4.3 Installing Fixed Binaries Upgrade the affected binaries with the following commands: # mv /usr/dt/bin/dtprintinfo /usr/dt/bin/dtprintinfo- # uncompress /tmp/dtprintinfo.Z # cp dtprintinfo /usr/dt/bin # cd /usr/dt/bin # chown root dtprintinfo # chgrp bin dtprintinfo # chmod 4555 dtprintinfo 5. References This and other advisories are located at http://stage.caldera.com/support/security This advisory addresses Caldera Security internal incident sr850737. 6. Disclaimer Caldera International, Inc. is not responsible for the misuse of any of the information we provide on our website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of Caldera International products. 7. Acknowledgements Caldera International wishes to thank KF <dotslash () snosoft com> for discovering and reporting this problem. ___________________________________________________________________________<Attachment missing> --Apple-Mail-1284103789-3 Content-Type: multipart/mixed; boundary=Apple-Mail-1304894114-4 --Apple-Mail-1304894114-4 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii; format=flowed Hey guys I installed OpenUnix again a few days ago and had a few minutes on it before I rm -rf'd it to make a dual boot box... I was able to make ALL suid / sgid binaries in the dt bin segfault (except for dtmail) with a long $HOME or $PATH or combination of the two... off the top of my head dtterm was one of them for sure. Also the /usr/sbin/recon binary segfaulted very similar to the OpenServer version. Just a heads up sorry I didn't think about it sooner. -KF On Monday, October 1, 2001, at 11:08 AM, sco-security () caldera com wrote:To: bugtraq () securityfocus com security- announce () lists securityportal com announce () lists caldera com scoannmod () xenitec on ca ___________________________________________________________________________ Caldera International, Inc. Security Advisory Subject: Open Unix, UnixWare 7: dtprintinfo environment buffer overflow Advisory number: CSSA-2001-SCO.22 Issue date: 2001 October 1 Cross reference: ___________________________________________________________________________ 1. Problem Description Very long environment variables will cause the dtprintinfo command to overflow a buffer. This could be used by an unauthorized user to gain privilege. 2. Vulnerable Versions Operating System Version Affected Files ------------------------------------------------------------------ UnixWare 7 All /usr/dt/bin/dtprintinfo Open Unix 8.0.0 /usr/dt/bin/dtprintinfo 3. Workaround None. 4. UnixWare 7 4.1 Location of Fixed Binaries ftp://stage.caldera.com/pub/security/openunix/CSSA-2001-SCO.22/ 4.2 Verification md5 checksums: e726067eba0107ac5efd8c1fdb141b0d dtprintinfo.Z md5 is available for download from ftp://stage.caldera.com/pub/security/tools/ 4.3 Installing Fixed Binaries Upgrade the affected binaries with the following commands: # mv /usr/dt/bin/dtprintinfo /usr/dt/bin/dtprintinfo- # uncompress /tmp/dtprintinfo.Z # cp dtprintinfo /usr/dt/bin # cd /usr/dt/bin # chown root dtprintinfo # chgrp bin dtprintinfo # chmod 4555 dtprintinfo 5. References This and other advisories are located at http://stage.caldera.com/support/security This advisory addresses Caldera Security internal incident sr850737. 6. Disclaimer Caldera International, Inc. is not responsible for the misuse of any of the information we provide on our website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of Caldera International products. 7. Acknowledgements Caldera International wishes to thank KF <dotslash () snosoft com> for discovering and reporting this problem. ___________________________________________________________________________--Apple-Mail-1304894114-4 Content-Disposition: attachment; filename="mime-attachment" Content-Type: application/octet-stream; name="mime-attachment"; x-unix-mode=0666 Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (SCO_SV) Comment: For info see http://www.gnupg.org iEYEARECAAYFAju4sQAACgkQaqoBO7ipriHZuwCfc3mewbRNYJKCWBqIRMOVtvKy ABgAniOhYqovOG8XxHTkqSmtM6BujsSS =iFZ0 -----END PGP SIGNATURE----- --Apple-Mail-1304894114-4-- --Apple-Mail-1284103789-3--
Current thread:
- [Fwd: Failed mail] KF (Oct 02)