Risks
Vulnerabilities
Browse by
Sun Solaris admintool -d and PRODVERS buffer overflow vulnerabilities
30 April 2002
Bookmark and Share


eSO Security Advisory: 2397
Discovery Date: March 28, 2000
ID: eSO:2397
Title: Sun Solaris admintool -d and PRODVERS buffer overflow vulnerabilities
Impact: Local attackers can gain root privileges
Affected Technology: Solaris 2.5, 2.5.1, 2.6, 7, 8 SPARC and x86
Vendor Status: Patches are available
Discovered By: Kevin Kotas of the eSecurityOnline Research
and Development Team
CVE Reference: CAN-2002-0089

Advisory Location:
http://www.eSecurityOnline.com/advisories/eSO2397.asp

Description:
The Sun Solaris admintool utility is vulnerable to multiple buffer overflow conditions that allow a local attacker to gain root access. The problems are due to insufficient bounds checking on command line options and on a configuration file variable. An attacker can use a carefully constructed string with the -d command line option or with the PRODVERS .cdtoc file variable to gain root privileges.

The first buffer overflow is related to command line execution of admintool with the -d switch, when a long string is used with "/Solaris" present.

The second buffer overflow occurs due to a lack of bounds checking for the PRODVERS argument in the .cdtoc file. The .cdtoc file is used to specify variables for installation media. Through the software/edit/add feature, a local directory can be specified that contains a .cdtoc file. The file can contain a string of data for the PRODVERS variable that will cause the program to crash or execute code when processed.

Technical Recommendation:
Apply the following patches.

Solaris 2.5:
103247-16

Solaris 2.5_x86:
103245-16

Solaris 2.5.1:
103558-16

Solaris 2.5.1_x86:
103559-16

Solaris 2.6:
105800-07

Solaris 2.6_x86:
105801-07

Solaris 7:
108721-02

Solaris 7_x86:
108722-02

Solaris 8:
10453-01

Solaris 8_x86:
110454-01

As a workaround solution, remove the setuid permissions with the following: chmod -s /usr/bin/admintool

Vendor site:
http://sunsolve.sun.com

Acknowledgements:
eSecurityOnline would like to thank Sun Microsystems and the Sun security team for their cooperation in resolving the issue.

Copyright 2002 eSecurityOnline LLC. All rights reserved.

THE INFORMATION IN THIS VULNERABILITY ALERT IS PROVIDED BY ESECURITYONLINE LLC "AS IS", "WHERE IS", WITH NO WARRANTY OF ANY KIND, AND ESECURITYONLINE LLC HEREBY DISCLAIMS THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. ESECURITYONLINE LLC SHALL HAVE NO LIABILITY FOR ANY DAMAGE, CLAIM OR LOSS RESULTING FROM YOUR USE OF THE INFORMATION CONTAINED IN THIS VULNERABILITY ALERT.




Spotlight

Fighting malware, emerging threats and AI

Posted on 24 November 2014.  |  Liran Tancman is the CEO of CyActive, a predictive cyber security company. In this interview he talks about fighting malware, emerging threats, artificial intelligence and the cloud.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Tue, Nov 25th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //