[22770] in bugtraq
[Fwd: Failed mail]
daemon@ATHENA.MIT.EDU (KF)
Tue Oct 2 19:18:57 2001
Message-ID: <3BB9BC0A.8937D535@snosoft.com>
Date: Tue, 02 Oct 2001 09:07:22 -0400
From: KF <dotslash@snosoft.com>
MIME-Version: 1.0
To: bugtraq@security-focus.com
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Well I tried to mail this to the SCO / Caldera security aliases but they
keep bouncing back so I will send it here instead... this is regarding
the
recent DT overflows on OpenUnix8.
-KF
-------- Original Message --------
Subject: Failed mail
Date: Mon, 1 Oct 2001 17:08:31 PDT
From: MMDF Mail System <mmdf@sco.COM>
To: dotslash@snosoft.com
Trouble sending mail on sco.sco.COM:
============ Transcript follows ============
(USER) Unknown user name in "tigger@sco.com"
(USER) Unknown user name in "sco-security@sco.com"
Submit error: No valid addresses
============== Message follows =============
Received: from clmboh1-smtp3.columbus.rr.com(65.24.0.112)
via SMTP by sco.ca.caldera.COM, id smtpdAAAa006kA; Mon Oct 1 17:08:28
2001
Received: from osxinsightrrcom (dhcp065-024-239-073.insight.rr.com
[65.24.239.73])
by clmboh1-smtp3.columbus.rr.com (8.11.2/8.11.2) with ESMTP id
f920XDR13482;
Mon, 1 Oct 2001 20:33:13 -0400 (EDT)
Message-Id: <200110020033.f920XDR13482@clmboh1-smtp3.columbus.rr.com>
Date: Sun, 30 Sep 2001 20:36:19 -0700
From: KF <dotslash@snosoft.com>
Content-Type: text/plain;
format=flowed;
charset=us-ascii
X-Mailer: Apple Mail (2.388)
Cc: sco-security@sco.com
To: tigger@sco.com
Mime-Version: 1.0 (Apple Message framework v388)
Content-Transfer-Encoding: 7bit
Subject: SECURITY ISSUE in DT YOU MISSED A COUPLE BINARIES.
Begin forwarded message:
> From: MAILER-DAEMON@caldera.co
>
> <sco-security@caldera.com>:
> Sorry, no mailbox here by that name. (#5.1.1)
> Subject: Re: Security Update: [CSSA-2001-SCO.22] Open Unix, UnixWare 7:
> dtprintinfo environment buffer overflow
>
>
>
> Hey guys I installed OpenUnix again a few days ago and had a few minutes
> on it before
> I rm -rf'd it to make a dual boot box... I was able to make ALL suid /
> sgid binaries in the dt bin segfault (except for dtmail) with a long
> $HOME or $PATH or combination of the two...
> off the top of my head dtterm was one of them for sure.
>
> Also the /usr/sbin/recon binary segfaulted very similar to the
> OpenServer version.
> Just a heads up sorry I didn't think about it sooner.
> -KF
>
>
> On Monday, October 1, 2001, at 11:08 AM, sco-security@caldera.com wrote:
>
>> To: bugtraq@securityfocus.com security-
>> announce@lists.securityportal.com announce@lists.caldera.com
>> scoannmod@xenitec.on.ca
>>
>> ___________________________________________________________________________
>>
>> Caldera International, Inc. Security Advisory
>>
>> Subject: Open Unix, UnixWare 7: dtprintinfo environment buffer
>> overflow
>> Advisory number: CSSA-2001-SCO.22
>> Issue date: 2001 October 1
>> Cross reference:
>> ___________________________________________________________________________
>>
>>
>>
>> 1. Problem Description
>>
>> Very long environment variables will cause the dtprintinfo
>> command to overflow a buffer. This could be used by an
>> unauthorized user to gain privilege.
>>
>>
>> 2. Vulnerable Versions
>>
>> Operating System Version Affected Files
>> ------------------------------------------------------------------
>> UnixWare 7 All /usr/dt/bin/dtprintinfo
>> Open Unix 8.0.0 /usr/dt/bin/dtprintinfo
>>
>>
>> 3. Workaround
>>
>> None.
>>
>>
>> 4. UnixWare 7
>>
>> 4.1 Location of Fixed Binaries
>>
>> ftp://stage.caldera.com/pub/security/openunix/CSSA-2001-SCO.22/
>>
>>
>> 4.2 Verification
>>
>> md5 checksums:
>>
>> e726067eba0107ac5efd8c1fdb141b0d dtprintinfo.Z
>>
>>
>> md5 is available for download from
>>
>> ftp://stage.caldera.com/pub/security/tools/
>>
>>
>> 4.3 Installing Fixed Binaries
>>
>> Upgrade the affected binaries with the following commands:
>>
>> # mv /usr/dt/bin/dtprintinfo /usr/dt/bin/dtprintinfo-
>> # uncompress /tmp/dtprintinfo.Z
>> # cp dtprintinfo /usr/dt/bin
>> # cd /usr/dt/bin
>> # chown root dtprintinfo
>> # chgrp bin dtprintinfo
>> # chmod 4555 dtprintinfo
>>
>>
>> 5. References
>>
>> This and other advisories are located at
>> http://stage.caldera.com/support/security
>>
>> This advisory addresses Caldera Security internal incident
>> sr850737.
>>
>> 6. Disclaimer
>>
>> Caldera International, Inc. is not responsible for the misuse
>> of any of the information we provide on our website and/or
>> through our security advisories. Our advisories are a service
>> to our customers intended to promote secure installation and
>> use of Caldera International products.
>>
>>
>> 7. Acknowledgements
>>
>> Caldera International wishes to thank KF <dotslash@snosoft.com>
>> for discovering and reporting this problem.
>>
>>
>> ___________________________________________________________________________
> <Attachment missing>
> --Apple-Mail-1284103789-3
> Content-Type: multipart/mixed;
> boundary=Apple-Mail-1304894114-4
>
>
> --Apple-Mail-1304894114-4
> Content-Transfer-Encoding: 7bit
> Content-Type: text/plain;
> charset=us-ascii;
> format=flowed
>
> Hey guys I installed OpenUnix again a few days ago and had a few minutes
> on it before
> I rm -rf'd it to make a dual boot box... I was able to make ALL suid /
> sgid binaries in the dt bin segfault (except for dtmail) with a long
> $HOME or $PATH or combination of the two...
> off the top of my head dtterm was one of them for sure.
>
> Also the /usr/sbin/recon binary segfaulted very similar to the
> OpenServer version.
> Just a heads up sorry I didn't think about it sooner.
> -KF
>
>
> On Monday, October 1, 2001, at 11:08 AM, sco-security@caldera.com wrote:
>
>> To: bugtraq@securityfocus.com security-
>> announce@lists.securityportal.com announce@lists.caldera.com
>> scoannmod@xenitec.on.ca
>>
>> ___________________________________________________________________________
>>
>> Caldera International, Inc. Security Advisory
>>
>> Subject: Open Unix, UnixWare 7: dtprintinfo environment buffer
>> overflow
>> Advisory number: CSSA-2001-SCO.22
>> Issue date: 2001 October 1
>> Cross reference:
>> ___________________________________________________________________________
>>
>>
>>
>> 1. Problem Description
>>
>> Very long environment variables will cause the dtprintinfo
>> command to overflow a buffer. This could be used by an
>> unauthorized user to gain privilege.
>>
>>
>> 2. Vulnerable Versions
>>
>> Operating System Version Affected Files
>> ------------------------------------------------------------------
>> UnixWare 7 All /usr/dt/bin/dtprintinfo
>> Open Unix 8.0.0 /usr/dt/bin/dtprintinfo
>>
>>
>> 3. Workaround
>>
>> None.
>>
>>
>> 4. UnixWare 7
>>
>> 4.1 Location of Fixed Binaries
>>
>> ftp://stage.caldera.com/pub/security/openunix/CSSA-2001-SCO.22/
>>
>>
>> 4.2 Verification
>>
>> md5 checksums:
>>
>> e726067eba0107ac5efd8c1fdb141b0d dtprintinfo.Z
>>
>>
>> md5 is available for download from
>>
>> ftp://stage.caldera.com/pub/security/tools/
>>
>>
>> 4.3 Installing Fixed Binaries
>>
>> Upgrade the affected binaries with the following commands:
>>
>> # mv /usr/dt/bin/dtprintinfo /usr/dt/bin/dtprintinfo-
>> # uncompress /tmp/dtprintinfo.Z
>> # cp dtprintinfo /usr/dt/bin
>> # cd /usr/dt/bin
>> # chown root dtprintinfo
>> # chgrp bin dtprintinfo
>> # chmod 4555 dtprintinfo
>>
>>
>> 5. References
>>
>> This and other advisories are located at
>> http://stage.caldera.com/support/security
>>
>> This advisory addresses Caldera Security internal incident
>> sr850737.
>>
>> 6. Disclaimer
>>
>> Caldera International, Inc. is not responsible for the misuse
>> of any of the information we provide on our website and/or
>> through our security advisories. Our advisories are a service
>> to our customers intended to promote secure installation and
>> use of Caldera International products.
>>
>>
>> 7. Acknowledgements
>>
>> Caldera International wishes to thank KF <dotslash@snosoft.com>
>> for discovering and reporting this problem.
>>
>>
>> ___________________________________________________________________________
>
> --Apple-Mail-1304894114-4
> Content-Disposition: attachment;
> filename="mime-attachment"
> Content-Type: application/octet-stream;
> name="mime-attachment";
> x-unix-mode=0666
> Content-Transfer-Encoding: 7bit
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (SCO_SV)
> Comment: For info see http://www.gnupg.org
>
> iEYEARECAAYFAju4sQAACgkQaqoBO7ipriHZuwCfc3mewbRNYJKCWBqIRMOVtvKy
> ABgAniOhYqovOG8XxHTkqSmtM6BujsSS
> =iFZ0
> -----END PGP SIGNATURE-----
>
> --Apple-Mail-1304894114-4--
>
> --Apple-Mail-1284103789-3--
>
