Re: HPUX Security Bulletin HPSBUX0103-146 - How Bad ?

[Joe Carnahan <haq4jc () YAHOO COM>]

--- "Boyce, Nick" <nick.boyce () EDS COM> wrote:
> Usual question - anyone know how bad this one is ?
> The words "buffer overflow" scare me :-)

Actually, this one's about as innocent as buffer
overflows can get - If this is the same problem with
Vixie cron that was being discussed last month (check
the bugtraq archives from about the beginning of
February), then the string whose length is unchecked
is the username itself.  That is, if my username was
more than 20 characters long AND my username itself
contained nasty shellcode at the end, then I could get
root by running the crontab command.

However, this assumes that you can set your username
to be a particularly large and obviously malicious
string, and last time I checked, root is the only user
that can create accounts and set or change usernames.
So, this vulnerability is not terribly useful to an
attacker.

Still, if you have the opportunity to patch your
system(s), then by all means please do.  Even if
there's not much danger of root compromise, it's best
to plug any holes before someone more clever comes
along and figures out how to widen them enough to be
useful, right?

Regards,
Joe Carnahan

=====
Joseph Carnahan
haq4jc () yahoo com
Home: (540) 361-4345
Work: (540) 653-5798
   or (703) 697-6318

__________________________________________________
Do You Yahoo!?
Get email at your own domain with Yahoo! Mail.
http://personal.mail.yahoo.com/