[25109] in bugtraq
[SNS Advisory No.50] Compaq Tru64 UNIX dtprintinfo "-session" Buffer Overflow Vulnerability
daemon@ATHENA.MIT.EDU (snsadv@lac.co.jp)
Wed Apr 17 14:05:44 2002
Date: Wed, 17 Apr 2002 14:45:45 +0900
From: "snsadv@lac.co.jp" <snsadv@lac.co.jp>
To: bugtraq@securityfocus.com
Message-Id: <20020417142413.1E51.SNSADV@lac.co.jp>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
----------------------------------------------------------------------
SNS Advisory No.50
Compaq Tru64 UNIX dtprintinfo "-session" Buffer Overflow Vulnerability
Problem first discovered: Wed, 10 Oct 2001
Published: Thu, 17 Apr 2002
----------------------------------------------------------------------
Overview:
---------
dtprintinfo included with Compaq Tru64 UNIX contains a buffer overflow
vulnerability, which could potentially allow local attackers to elevate
privileges.
Problem Description:
--------------------
The /usr/dt/bin/dtprintinfo included with Compaq Tru64 UNIX is a program
for opening the CDE Print Manager window. This program is installed as
SUID root. In dtprintinfo it is possible to restore a client to the
original desktop state by loading the session file using the "-session"
option. A buffer overflow will occur in dtprintinfo when an unusually long
string of characters is used in session filenames. This will result in the
possibility for the local attacker to execute arbitrary code as root.
Affected Versions:
------------------
Compaq Tru64 UNIX V4.0F
Compaq Tru64 UNIX V5.0
Compaq Tru64 UNIX V5.1
Compaq Tru64 UNIX V5.1A
Solution:
---------
This problem can be eliminated by applying an appropriate patch to your
Tru64 UNIX version based on the information in the following URL:
Compaq SECURITY BULLETIN (SSRT-541) Potential Security Vulnerabilities
in Tru64,Unix,CDE,NFS,and NIS:
http://ftp.support.compaq.com/patches/.new/html/SSRT-541.shtml
Discovered by:
--------------
Noboru Yoshinaga yosinaga@lac.co.jp
Disclaimer:
-----------
All information in these advisories are subject to change without any
advanced notices neither mutual consensus, and each of them is released
as it is. LAC Co.,Ltd. is not responsible for any risks of occurrences
caused by applying those information.
