eSecurityOnline advisory 5063 - Sun AnswerBook2 gettransbitmap buffer overflow vulnerability

[<researchteam () esecurityonline com>]

eSO Security Advisory:          5063
Discovery Date:                 March 1, 2002
ID:                             eSO:5063
Title:                          Sun AnswerBook2 gettransbitmap buffer
                                overflow vulnerability
Impact:                         Remote attackers can execute arbitrary
                                code.
Affected Technology:            Sun AnswerBook2 1.4, 1.4.1, 1.4.2,
                                1.4.3
Vendor Status:                  Vendor notified.
Discovered By:                  Kevin Kotas of the eSecurityOnline
                                Research and Development Team
CVE Reference:                  CAN-2002-0360

Advisory Location:
http://www.eSecurityOnline.com/advisories/eSO5063.asp

Description:
Sun AnswerBook2 is vulnerable to a stack based buffer overflow
condition that can allow a remote attacker to execute arbitrary code.
The problem is due to the gettransbitmap CGI that comes with
AnswerBook2 not correctly performing bounds checking on the filename
argument. A remote attacker can create a request that will result in
arbitrary code execution with user daemon privileges.
  
Technical Recommendation:
Presently, there are no vendor patches available. As a workaround
solution, remove access to the gettransbitmap binary.

chmod 0000 <path to>/gettransbitmap

Otherwise, disable AnswerBook2.

© 2002 eSecurityOnline LLC.  All rights reserved.

THE INFORMATION IN THIS VULNERABILITY ALERT IS PROVIDED BY
ESECURITYONLINE LLC "AS IS", "WHERE IS", WITH NO WARRANTY OF ANY KIND,
AND ESECURITYONLINE LLC HEREBY DISCLAIMS THE IMPLIED WARRANTIES OF
NON-INFRINGEMENT, MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE.  ESECURITYONLINE LLC SHALL HAVE NO LIABILITY FOR ANY DAMAGE,
CLAIM OR LOSS RESULTING FROM YOUR USE OF THE INFORMATION CONTAINED IN
THIS VULNERABILITY ALERT.