buffer overflow in /usr/bin/cancel

[jstrickl () CBU EDU (Josh A. Strickland)]

Well, Sun replied after about a week, week and a half. Not altogether
great, but there are many companies who are much worse.

N.B. sections set of in []'s weren't in the original, and are added for
clarification or other explanation.

---------- Forwarded message ----------
Date: Thu, 4 Mar 1999 17:34:41 -0800 (PST)
From: Chok Poh <Chok.Poh () Eng Sun COM>
To: jstrickl () cbu edu
Subject: buffer overflow in /usr/bin/cancel

Hi Josh,

Thank you for your report on /usr/bin/cancel.

There is a buffer overflow as you had reported. However /usr/bin/cancel
in Solaris 2.5.1 is not setuid root. [uh... I never told him
it was. I'm not sure where that came from. HOWEVER, I did tell him it IS
in 2.6] /usr/bin/cancel is also not setuid root in Solaris versions prior to
2.5.1. [I didn't have access to any prior to 2.5.1, or I would have
checked this out] This buffer overflow was fixed in Solaris 7 before it
was released. [let's hear it for proactive code auditing!] If you are also
using Solaris 2.6, please install patch 106235-03. The patch will be available
at the following URL in about 4 weeks:

        http://sunsolve.sun.com/sunsolve/pubpatches/patches.html

[4 weeks!? Um. o.k.]

[When I was checking out this problem (i.e., overflowing the buffer ;), I
kept on getting the following notice: ]

> UX:cancel: ERROR: Can't send message to the LP print service.
>          TO FIX: The LP print service apparently has been
>                  stopped. Get help from your system
>                  administrator.

We are investigating the error message. Our tests showed that the LP was still
up and running.

[not sure what was up w/ that... I guess they aren't either]


Thanks,

Chok
__________________________________________________________________________

Chok Poh
Sun Security Coordination Team
Sun Microsystems, Inc.
email: security-alert () sun com

__________________________________________________________________________


[ It seems that this is not an exploitable condition (2.6, remember, is
the only version that is suid, so this is what I'm speaking of), as only i
and o registers are mangled, and not pc. However, it is disconcerting that
overflow problems with lpr were fixed long ago, but similar problems with
other _similar_ programs like lpstat and cancel were not audited at the
same time. This kind of makes me wonder what other lp related suid progs
may have buffer overflows in them? In any event, be sure to chmod cancel
now if you happen to run 2.6, and get the patch when it comes out a month from
now. On another note, if the source were available, one could patch it
him/herself, and have a fully functional _secure_ version of cancel in far
less than 4 weeks. This is not meant as a Sun-bashing session, Sun has
come up w/ some truly wonderful things (CDE, for example) that I think are
great (would be better if it was free like KDE ;-) ). However, allocating
buffers as big or even bigger than 1000 bytes for usernames (who has a
1000 byte username?) without doing any bounds checking is, to me, inexcusable.]

shameless plug:

Hickcon, a conference of the Midsouth, will be held for the first time in
Memphis, TN this summer. If you are interested in attending speaking, or
advertising at this con, please contact either myself or cnwav. Events
will include lectures, CTF contest, a coding contest, and a large dinner
party is planned for Saturday night. The price will be about $50, and it
will last from friday night until Sunday morning. More information is
available at http://www.hickcon.org

-Josh
a.k.a. tmbg of irc dalnet

Please reply to this address, jstrickl () cbu edu to contact me.
For cnwav, please use cnwav () hickcon org.