Security Update: [CSSA-2002-SCO.12] Open UNIX, UnixWare 7: rpc.cmsd can be remotely exploited

[security () caldera com]

To: bugtraq () securityfocus com announce () lists caldera com scoannmod () xenitec on ca

___________________________________________________________________________

            Caldera International, Inc. Security Advisory

Subject:                Open UNIX, UnixWare 7: rpc.cmsd can be remotely exploited
Advisory number:        CSSA-2002-SCO.12
Issue date:             2002 March 20
Cross reference:
___________________________________________________________________________


1. Problem Description
        
  1.1 Overview

        The rpc.cmsd command  would overflow  a  buffer under  certain
        circumstances, allowing the possibility of  a  remote  user to
        gain privilege.


  1.2 Detail
  
        The  exploit  code provided by  jGgM  requests  program 100068
        version 4  on UDP  (implemented  by /usr/dt/bin/rpc.cmsd)  and
        then  does a single RPC call  to procedure  21 (rtable_create)
        passing 2 strings, one of which creates a buffer overflow.

        $BASE/server/rtable4.c:_DtCm_rtable_create_4_svc(args)   where
        args is  of type Table_Op_Args_4: 2 client supplied strings as
        args->target and args->new_target. "new_target" is never  used
        and "target" creates the overflow later on.

        _DtCmGetPrefix will overflow its  local variable "buf"  if the
        "sep" parameter that ends the prefix is not present.

        A     secondary    problem    may    also    occur     because
        _DtCm_rtable_create_4_svc does  not make sure that  the length
        of args->target is < BUFSIZ.


2. Vulnerable Supported Versions

        Operating System        Version         Affected Files
        ------------------------------------------------------------------
        UnixWare 7              7.1.1           /usr/dt/bin/rpc.cmsd
        Open UNIX               8.0.0           /usr/dt/bin/rpc.cmsd


3. Workaround

        None.


4. UnixWare 7, Open UNIX 8

  4.1 Location of Fixed Binaries

        ftp://stage.caldera.com/pub/security/openunix/CSSA-2002-SCO.12/


  4.2 Verification

        MD5 (erg711942b.Z) = 64d49dcd622cccbb2e7553e2706bc33d


        md5 is available for download from
                ftp://stage.caldera.com/pub/security/tools/


  4.3 Installing Fixed Binaries

        Upgrade the affected binaries with the following commands:

        Download erg711942b.Z to the /var/spool/pkg directory

        # uncompress /var/spool/pkg/erg711942b.Z
        # pkgadd -d /var/spool/pkg/erg711942b


5. References

        Specific references for this advisory:

                none


        Caldera UNIX security resources:

                http://stage.caldera.com/support/security/
                       
        Caldera OpenLinux security resources:

                http://www.caldera.com/support/security/index.html


        This  advisory addresses  Caldera  Security internal incidents
        sr858623, fz519829, erg711942.


6. Disclaimer

        Caldera  International, Inc. is not responsible for the misuse
        of  any of the information  we provide  on  our website and/or
        through our  security advisories. Our advisories are a service
        to  our customers intended to promote  secure installation and
        use of Caldera International products.


7. Acknowledgements

        This  vulnerability was  discovered  and  researched  by  jGgM
        <jggm () mail com>.

         
___________________________________________________________________________

Attachment: _bin
Description: