[24025] in bugtraq
sastcpd Buffer Overflow and Format String Vulnerabilities
daemon@ATHENA.MIT.EDU (Wodahs Latigid)
Tue Jan 29 14:30:34 2002
Message-ID: <20020129095941.28776.qmail@mail.com>
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
MIME-Version: 1.0
From: "Wodahs Latigid" <wodahs@mail.com>
To: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org
Date: Tue, 29 Jan 2002 09:59:41 +0000
----------------------------------------------------------
sastcpd Buffer Overflow and Format String Vulnerabilities
Ministry-of-Peace - www.ministryofpeace.co.uk
----------------------------------------------------------
SYNOPSIS
"SAS software provides the foundation, tools, and
solutions for data analysis, report generation,
and enterprise-wide information delivery."
The "SAS Job Spawner", sastcpd, contains both a buffer
overflow and a format string vulnerability.
SAS Support say that these problems were fixed in version
8.2 of this product, but we are unable to confirm as we
do not have access to this version.
IMPACT
sastcpd is installed setuid root by default, and therefore
full root privileges can be obtained through exploitation
of either of these vulnerabilities.
DETAILS
Version tested:
SAS Job Spawner for Open Systems version 8.01
$ sastcpd `perl -e "print 'A' x 1200"`
Invalid argument: AAAA[..cut..]AAAA.
Segmentation fault (core dumped)
$ ls -la core
-rw------- 1 root teknix 1454382 Jan 28 04:22 core
$ sastcpd %n
Segmentation fault (core dumped)
$ sastcpd %x
Invalid argument: 2.
CREDITS
Vulnerability discovered by Digital Shadow
INFO
Security Advisory #05
Published: 29th January 2002
--
_______________________________________________
Sign-up for your own FREE Personalized E-mail at Mail.com
http://www.mail.com/?sr=signup
Win a ski trip!
http://www.nowcode.com/register.asp?affiliate=1net2phone3a
