SCO 5.0.6 MMDF issues (deliver)

["Secure Network Operations , Inc." <recon () SNOSOFT COM>]

======================================================================
Strategic Reconnisiance Team Security Advisory(SRT2001-03)
Topic: SCO 5.0.6 MMDF issues (deliver)
Vendor: SCO
Release Date: 03/27/01
======================================================================
.: Description
SCO OpenServer 5.0.6 ships with a previously known buggy MMDF package.
SCO Security Bulletin 2000.06 states "Recently Network Associates, Inc.
issued a  SECURITY ADVISORY against all versions of MMDF prior to the
beta release 2.44a-B4" however SCO still released OpenServer 5.0.6 with
version 2.43.3b of MMDF. deliver has poor processing of command line arguments
resulting in a buffer overflow /opt/K/SCO/MMDF/2.43.3b/usr/mmdf/bin/deliver
will core dump if fed more than 4085 chars.

.: Impact
/opt/K/SCO/MMDF/2.43.3b/usr/mmdf/bin/deliver `perl -e 'print "A" x 5000'`
Memory fault - core dumped

This problem makes it possible to overwrite memory space of the running 
process,
and potentially execute code with the inherited privileges of root.

.: Workaround
chmod -s /opt/K/SCO/MMDF/2.43.3b/usr/mmdf/bin/deliver

.: Systems Affected
SCO OpenServer 5.0.6 upgrade from 5.0.x and 5.0.6 fresh install.

.: Proof of Concept
To be released at a later time.

.: Vendor Status
Vendor was notified on 03/22/01. Vendor lab tests confirmed the issue. Patch
status is unknown.

.: Credit
Kevin Finisterre
dotslash () snosoft com, krfinisterre () checkfree com

======================================================================
©Copyright 2001 Secure Network Operations , Inc.  All Rights Reserved.
Strategic Reconnisiance Team | recon () snosoft com
http://recon.snosoft.com     | http://www.snosoft.com
----------------------------------------------------------------------