sastcpd 8.0 'authprog' local root vulnerability

[rpc <rpc () unholy net>]

Hi,

Several environment variable problems exist in the 'SAS Job Spawner for Open Systems version 8.00'. No other releases 
of the software were available to test. Sorry.

authprog vulnerability
----------------------

The daemon passes a user-defined environment variable, 'authprog', to execve(). This obviously is a problem if sastcpd 
is setuid. A sample 'exploit' is attached.

netencralg vulnerability
------------------------

I haven't poked at this long enough to determine whether or not it is exploitable. sastcpd segfaults if 'netencralg' is 
set to any value.

All test were run on SunOS 5.8.
Both vulnerabilities were discovered with Dave Aitel's/AtStake simple-yet-sexy sharefuzz 1.0.

cheers,
--rpc

Attachment: authme.sh
Description:

Attachment: _bin
Description: