Bugtraq mailing list archives
Re: [VulnWatch] sastcpd Buffer Overflow and Format String Vulnerabilities
From: "William D. Colburn (aka Schlake)" <wcolburn () nmt edu>
Date: Tue, 29 Jan 2002 10:54:57 -0700
I installed SAS without any suid bits May of 2000, and no one has complained about anything not working. Removing the suid bit probably won't hurt anything. Also, my version is 8.00 and seems only to have the format string problem, not the buffer overflow. On Tue, Jan 29, 2002 at 09:59:41AM +0000, Wodahs Latigid wrote:
IMPACT sastcpd is installed setuid root by default, and therefore full root privileges can be obtained through exploitation of either of these vulnerabilities.
Version tested: SAS Job Spawner for Open Systems version 8.01
-- William Colburn, "Sysprog" <wcolburn () nmt edu> Computer Center, New Mexico Institute of Mining and Technology http://www.nmt.edu/tcc/ http://www.nmt.edu/~wcolburn
Current thread:
- Re: sastcpd Buffer Overflow and Format String Vulnerabilities elliptic (Jan 29)
- <Possible follow-ups>
- sastcpd Buffer Overflow and Format String Vulnerabilities Wodahs Latigid (Jan 29)
- Re: [VulnWatch] sastcpd Buffer Overflow and Format String Vulnerabilities William D. Colburn (aka Schlake) (Jan 29)