TUCoPS :: SCO :: sco5386.htm

ftpd, popper, scoadmin and sort buffer overflows, insecure tmp files, hijacking
31th May 2002 [SBWID-5386]
COMMAND

	ftpd, popper, scoadmin and sort buffer overflows,  insecure  tmp  files,
	hijacking

SYSTEMS AFFECTED

	 OpenServer 5.0.5 & 5.0.6 (all except ftpd)

	 Open UNIX 8.0.0 & UnixWare 7.1.1 (for ftpd only)

	

PROBLEM

	In Caldera Security Advisories :
	

	popper  buffer  overflow   and   denial-of-service   [CSSA-2002-SCO.20]:
	(Marcell  Fodor  reported  the  memory  fault  issue.  Dustin   Childers
	reported the denial-of-service issue.)
	

	/etc/popper will go into a loop if a character  string  of  length  2048
	(or more) is sent to it.
	

	If the bulldir variable in the user\'s config file is  longer  than  256
	characters, popper will memory fault.
	

	 ===============================

	

	sort command creates temporary files insecurely [CSSA-2002-SCO.21]:
	

	The sort command creates and uses temporary files insecurely. Names  can
	be predicted, and spoofed with symbolic links.
	

	 ===============================

	

	scoadmin command creates temporary files insecurely [CSSA-2002-SCO.22]:
	

	The scoadmin command creates and uses temporary files insecurely.  Names
	can be predicted, and spoofed with symbolic links.
	

	impacted binaries:
	

	/etc/sysadm.d/lib/sysadm.tlib

	/etc/sysadm.d/lib/sysadm.tndx

	

	

	 ===============================

	

	ftpd allows data connection hijacking via PASV mode [CSSA-2002-SCO.23]:
	

	In FTP PASV mode, the client makes  a  control  connection  to  the  FTP
	server (typically port 21/tcp) and requests a PASV data connection.  The
	server responds by listening for client connections on a specified  port
	number, which is supplied to the client via the control  connection.  If
	an attacker can make a connection  to  the  listening  port  before  the
	client connects, the server will  transmit  the  data  to  the  attacker
	instead of the client.
	

	To exploit this vulnerability, the attacker must intercept or guess  the
	port number that the server will use, then make its  connection  attempt
	before the client establishes a data connection. If the  server  chooses
	port  numbers  using   an   easily   identifiable   pattern   (such   as
	incrementally), this vulnerability is trivial to exploit.
	

	 Update (04 june 2002)

	 ======

	

	Tomasz Grabowski  added following info:
	

	It is also possible to hijack data connection while using  active  mode.
	The only difference  is  that  the  attacker  need  to  connect  to  the
	listening port on the client machine.
	

	

	

SOLUTION

	popper: install latest binaries
	

	ftp://stage.caldera.com/pub/security/openserver/CSSA-2002-SCO.20

	

	

	sort: install latest binaries
	

	ftp://stage.caldera.com/pub/security/openserver/CSSA-2002-SCO.21

	

	

	scoadmin: install latest binaries
	

	ftp://stage.caldera.com/pub/security/openserver/CSSA-2002-SCO.22

	

	

	

	ftpd: install latest binaries
	

	ftp://stage.caldera.com/pub/security/openunix/CSSA-2002-SCO.23

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH