COMMAND

	Solaris admintool local buffer overflow

SYSTEMS AFFECTED

	Solaris 2.5, 2.5.1, 2.6, 7, 8 SPARC and x86

PROBLEM

	In     Kevin     Kotas     of     the      eSecurityOnline      Research
	[http://www.eSecurityOnline.com] advisory [ID:eSO:2397] :
	

	--snipp--
	

	An attacker can use a carefully constructed string with the  -d  command
	line option or with the PRODVERS  .cdtoc  file  variable  to  gain  root
	privileges.
	

	The first buffer overflow  is  related  to  command  line  execution  of
	admintool  with  the  -d  switch,  when  a  long  string  is  used  with
	\"/Solaris\" present.
	

	The second buffer overflow occurs due to a lack of bounds  checking  for
	the PRODVERS argument in the .cdtoc file. The .cdtoc  file  is  used  to
	specify variables for installation media. Through the  software/edit/add
	feature, a local directory can  be  specified  that  contains  a  .cdtoc
	file. The file can contain a string of data for  the  PRODVERS  variable
	that will cause the program to crash or execute code when processed.
	

	--snapp--

SOLUTION

	As a  workaround  solution,  remove  the  setuid  permissions  with  the
	following:
	

	chmod -s /usr/bin/admintool

	

	

	Apply the following patches.
	

	Solaris 2.5: 103247-16

	Solaris 2.5_x86: 103245-16

	Solaris 2.5.1: 103558-16

	Solaris 2.5.1_x86: 103559-16

	Solaris 2.6: 105800-07

	Solaris 2.6_x86: 105801-07

	Solaris 7: 108721-02

	Solaris 7_x86: 108722-02

	Solaris 8: 10453-01

	Solaris 8_x86: 110454-01