[19900] in bugtraq
SCO 5.0.6 MMDF issues (sendmail 8.9.3)
daemon@ATHENA.MIT.EDU (Secure Network Operations , Inc.)
Wed Mar 28 03:37:14 2001
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"; format=flowed
Message-ID: <4.2.2.20010327133912.022a8048@mail.snosoft.com>
Date: Tue, 27 Mar 2001 13:39:54 +0100
Reply-To: "Secure Network Operations , Inc." <recon@SNOSOFT.COM>
From: "Secure Network Operations , Inc." <recon@SNOSOFT.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Content-Transfer-Encoding: 8bit
======================================================================
Strategic Reconnaissance Team Security Advisory(SRT2001-01)
Topic: SCO 5.0.6 MMDF issues (sendmail 8.9.3)
Vendor: SCO
Release Date: 03/27/01
======================================================================
.: Description
SCO OpenServer 5.0.6 ships with a previously known buggy MMDF package.
SCO Security Bulletin 2000.06 states "Recently Network Associates, Inc.
issued a SECURITY ADVISORY against all versions of MMDF prior to the
beta release 2.44a-B4" however SCO still released OpenServer 5.0.6 with
version 2.43.3b of MMDF. The sendmail 8.9.3 binary has poor handling of
command line arguments resulting in a buffer overflow.
.: Impact
/opt/K/SCO/MMDF/2.43.3b/usr/lib/sendmail `perl -e 'print "A" x 3000'`
Memory fault - core dumped
This problem makes it possible to overwrite memory space of the running
process,
and potentially execute code with the inherited privileges of the mmdf
subsystem.
uid=17(mmdf) gid=22(mmdf) groups=22(mmdf)
.: Workaround
chmod -s /opt/K/SCO/MMDF/2.43.3b/usr/lib/sendmail
upgrade to a newer version of MMDF.
.: Systems Affected
SCO OpenServer 5.0.6 upgrade from 5.0.x and 5.0.6 fresh install.
.: Proof of Concept
To be released at a later time. Existing 5.0.x sendmail exploits may be valid.
.: Vendor Status
Vendor was notified on 03/22/01. Vendor lab tests confirmed the issue. Patch
status is unknown.
.: References
Original SCO advisory
ftp://ftp.sco.com/SSE/security_bulletins/SB-00.06a
.: Credit
Kevin Finisterre
dotslash@snosoft.com, krfinisterre@checkfree.com
======================================================================
©Copyright 2001 Secure Network Operations , Inc. All Rights Reserved.
Strategic Reconnaissance Team | recon@snosoft.com
http://recon.snosoft.com | http://www.snosoft.com
----------------------------------------------------------------------
