Vulnerability

    deliver (MMDF)

Affected

    SCO OpenServer 5.0.6 upgrade from 5.0.x and 5.0.6 fresh install.

Description

    Following  is  based  on  a  Strategic Reconnisiance Team Security
    Advisory  (SRT2001-03).   SCO   OpenServer  5.0.6  ships  with   a
    previously  known  buggy  MMDF  package.   SCO  Security  Bulletin
    2000.06  states  "Recently  Network  Associates,  Inc.  issued   a
    SECURITY ADVISORY against all versions  of MMDF prior to the  beta
    release  2.44a-B4"  however  SCO  still  released OpenServer 5.0.6
    with version  2.43.3b of  MMDF.   deliver has  poor processing  of
    command   line   arguments   resulting   in   a   buffer  overflow
    /opt/K/SCO/MMDF/2.43.3b/usr/mmdf/bin/deliver  will  core  dump  if
    fed more than 4085 chars.

        /opt/K/SCO/MMDF/2.43.3b/usr/mmdf/bin/deliver `perl -e 'print "A" x 5000'`
	    Memory fault - core dumped

    This problem makes  it possible to  overwrite memory space  of the
    running process, and potentially  execute code with the  inherited
    privileges of root.

    Credit goes to Kevin Finisterre.

Solution

    chmod    -s    /opt/K/SCO/MMDF/2.43.3b/usr/mmdf/bin/deliver     as
    workaround.  Vendor  was notified on  03/22/01.  Vendor  lab tests
    confirmed the issue.  Patch status is unknown.