Bugtraq mailing list archives
buffer overflow in /usr/bin/cancel
From: jstrickl () CBU EDU (Josh A. Strickland)
Date: Fri, 5 Mar 1999 14:27:16 -0600
Well, Sun replied after about a week, week and a half. Not altogether great, but there are many companies who are much worse. N.B. sections set of in []'s weren't in the original, and are added for clarification or other explanation. ---------- Forwarded message ---------- Date: Thu, 4 Mar 1999 17:34:41 -0800 (PST) From: Chok Poh <Chok.Poh () Eng Sun COM> To: jstrickl () cbu edu Subject: buffer overflow in /usr/bin/cancel Hi Josh, Thank you for your report on /usr/bin/cancel. There is a buffer overflow as you had reported. However /usr/bin/cancel in Solaris 2.5.1 is not setuid root. [uh... I never told him it was. I'm not sure where that came from. HOWEVER, I did tell him it IS in 2.6] /usr/bin/cancel is also not setuid root in Solaris versions prior to 2.5.1. [I didn't have access to any prior to 2.5.1, or I would have checked this out] This buffer overflow was fixed in Solaris 7 before it was released. [let's hear it for proactive code auditing!] If you are also using Solaris 2.6, please install patch 106235-03. The patch will be available at the following URL in about 4 weeks: http://sunsolve.sun.com/sunsolve/pubpatches/patches.html [4 weeks!? Um. o.k.] [When I was checking out this problem (i.e., overflowing the buffer ;), I kept on getting the following notice: ]
UX:cancel: ERROR: Can't send message to the LP print service. TO FIX: The LP print service apparently has been stopped. Get help from your system administrator.
We are investigating the error message. Our tests showed that the LP was still up and running. [not sure what was up w/ that... I guess they aren't either] Thanks, Chok __________________________________________________________________________ Chok Poh Sun Security Coordination Team Sun Microsystems, Inc. email: security-alert () sun com __________________________________________________________________________ [ It seems that this is not an exploitable condition (2.6, remember, is the only version that is suid, so this is what I'm speaking of), as only i and o registers are mangled, and not pc. However, it is disconcerting that overflow problems with lpr were fixed long ago, but similar problems with other _similar_ programs like lpstat and cancel were not audited at the same time. This kind of makes me wonder what other lp related suid progs may have buffer overflows in them? In any event, be sure to chmod cancel now if you happen to run 2.6, and get the patch when it comes out a month from now. On another note, if the source were available, one could patch it him/herself, and have a fully functional _secure_ version of cancel in far less than 4 weeks. This is not meant as a Sun-bashing session, Sun has come up w/ some truly wonderful things (CDE, for example) that I think are great (would be better if it was free like KDE ;-) ). However, allocating buffers as big or even bigger than 1000 bytes for usernames (who has a 1000 byte username?) without doing any bounds checking is, to me, inexcusable.] shameless plug: Hickcon, a conference of the Midsouth, will be held for the first time in Memphis, TN this summer. If you are interested in attending speaking, or advertising at this con, please contact either myself or cnwav. Events will include lectures, CTF contest, a coding contest, and a large dinner party is planned for Saturday night. The price will be about $50, and it will last from friday night until Sunday morning. More information is available at http://www.hickcon.org -Josh a.k.a. tmbg of irc dalnet Please reply to this address, jstrickl () cbu edu to contact me. For cnwav, please use cnwav () hickcon org.
Current thread:
- Remote OS Deception? Robert Wick (Mar 03)
- Security Conference Announcement: the Black Hat Briefings '99 Dominique Brezinski (Mar 03)
- Oracle Plaintext Password James Kivisild (Mar 04)
- Linux /usr/bin/gnuplot overflow xnec () INFERNO TUSCULUM EDU (Mar 04)
- Re: Linux /usr/bin/gnuplot overflow Lars Hecking (Mar 05)
- Re: Linux /usr/bin/gnuplot overflow Hans-Bernhard Broeker (Mar 05)
- Re: Linux /usr/bin/gnuplot overflow Andrea Arcangeli (Mar 05)
- buffer overflow in /usr/bin/cancel Josh A. Strickland (Mar 05)
- Re: Linux /usr/bin/gnuplot overflow -- SuSE hasnt fixed lsof Mario Lorenz (Mar 05)
- Update to Microsoft Security Bulletin (MS99-006) aleph1 () UNDERGROUND ORG (Mar 05)
- More Internet Explorer zone confusion Jim Paris (Mar 05)
- Re: More Internet Explorer zone confusion Walt Armour (Mar 08)
- Re: More Internet Explorer zone confusion Jeremy Nimmer (Mar 08)
- Re: More Internet Explorer zone confusion Jim Paris (Mar 08)
- ISAPI Extension vulnerability allows to execute code as SYSTEM Aleph One (Mar 08)
- Re: More Internet Explorer zone confusion David E. Smith (Mar 08)
- Re: Linux /usr/bin/gnuplot overflow Lars Hecking (Mar 05)
- Little exploit for startup scripts (SCO 5.0.4p). leshka (Mar 07)
- Re: Little exploit for startup scripts (SCO 5.0.4p). Peter van Dijk (Mar 07)