|
COMMAND sastcpd Buffer Overflow and Format String Vulnerabilities SYSTEMS AFFECTED SAS Job Spawner for Open Systems version 8.01 PROBLEM In Digital Shadow advisory [http://www.ministryofpeace.co.uk] : Since sastcpd is installed uid 0 by default, full root privileges can be obtained through exploitation of either of the vulnerabilities below : $ sastcpd `perl -e \"print \'A\' x 1200\"` Invalid argument: AAAA[..cut..]AAAA. Segmentation fault (core dumped) $ ls -la core -rw------- 1 root teknix 1454382 Jan 28 04:22 core $ sastcpd %n Segmentation fault (core dumped) $ sastcpd %x Invalid argument: 2. \"Ellipse\" added : It appears that the objspawn program included with the SAS/Integration Technologies product is also vulnerable to these bugs. objspawn is also a setuid root executable by default. See the above link for more information. SOLUTION SAS Support say that these problems were fixed in version 8.2 http://www.sas.com/service/techsup/unotes/SN/004/004201.html Also, removing the suid bit seems to solve the problem without breaking the software