TUCoPS :: SCO :: lpshut.htm

SCO OpenServer 5.0.6 lpshut buffer overflow



    SCO OpenServer 5.0.6 upgrade from 5.0.x and 5.0.6 fresh install


    Following is  based on  a Strategic  Reconnaissance Team  Security
    Advisory (SRT2001-04).  SCO  OpenServer 5.0.6 ships with  suid bin
    /opt/K/SCO/Unix/5.0.6Ga/usr/lib/lpshut.  lpshut has poor  handling
    of command line arguments resulting in a buffer overflow.   lpshut
    will core dump if fed more than 6239 chars.

        /opt/K/SCO/Unix/5.0.6Ga/usr/lib/lpshut `perl -e 'print "A" x 7000'`
        Memory fault - core dumped

    This problem makes  it possible to  overwrite memory space  of the
    running process, and potentially  execute code with the  inherited
    privileges of bin.

    Credit goes to Kevin Finisterre.


    chmod  -s  /opt/K/SCO/Unix/5.0.6Ga/usr/lib/lpshut  as  workaround.
    Vendor was notified on 03/22/01.   Vendor lab tests confirmed  the
    issue.  Patch status is unknown.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH