|
Vulnerability lpusers Affected SCO OpenServer 5.0.6 upgrade from 5.0.x and 5.0.6 fresh install Description Following is based on a Strategic Reconnaissance Team Security Advisory (SRT2001-05). SCO OpenServer 5.0.6 ships with suid bin /opt/K/SCO/Unix/5.0.6Ga/usr/lib/lpusers. lpusers has poor handling of command line arguments resulting in a buffer overflow. lpusers will core dump if fed more than 670 chars. /opt/K/SCO/Unix/5.0.6Ga/usr/lib/lpusers -u `perl -e 'print "A" x 700'` Memory fault - core dumped This problem makes it possible to overwrite memory space of the running process, and potentially execute code with the inherited privileges of bin. Credit goes to Kevin Finisterre. Solution chmod -s /opt/K/SCO/Unix/5.0.6Ga/usr/lib/lpusers as workaround. Vendor was notified on 03/22/01. Vendor lab tests confirmed the issue. Patch status is unknown.