Well I tried to mail this to the SCO / Caldera security aliases but they keep bouncing back so I will send it here instead... this is regarding the recent DT overflows on OpenUnix8. -KF -------- Original Message -------- Subject: Failed mail Date: Mon, 1 Oct 2001 17:08:31 PDT From: MMDF Mail System <mmdf@sco.COM> To: dotslash@snosoft.com Trouble sending mail on sco.sco.COM: ============ Transcript follows ============ (USER) Unknown user name in "tigger@sco.com" (USER) Unknown user name in "sco-security@sco.com" Submit error: No valid addresses ============== Message follows ============= Received: from clmboh1-smtp3.columbus.rr.com(65.24.0.112) via SMTP by sco.ca.caldera.COM, id smtpdAAAa006kA; Mon Oct 1 17:08:28 2001 Received: from osxinsightrrcom (dhcp065-024-239-073.insight.rr.com [65.24.239.73]) by clmboh1-smtp3.columbus.rr.com (8.11.2/8.11.2) with ESMTP id f920XDR13482; Mon, 1 Oct 2001 20:33:13 -0400 (EDT) Message-Id: <200110020033.f920XDR13482@clmboh1-smtp3.columbus.rr.com> Date: Sun, 30 Sep 2001 20:36:19 -0700 From: KF <dotslash@snosoft.com> Content-Type: text/plain; format=flowed; charset=us-ascii X-Mailer: Apple Mail (2.388) Cc: sco-security@sco.com To: tigger@sco.com Mime-Version: 1.0 (Apple Message framework v388) Content-Transfer-Encoding: 7bit Subject: SECURITY ISSUE in DT YOU MISSED A COUPLE BINARIES. Begin forwarded message: > From: MAILER-DAEMON@caldera.co > > <sco-security@caldera.com>: > Sorry, no mailbox here by that name. (#5.1.1) > Subject: Re: Security Update: [CSSA-2001-SCO.22] Open Unix, UnixWare 7: > dtprintinfo environment buffer overflow > > > > Hey guys I installed OpenUnix again a few days ago and had a few minutes > on it before > I rm -rf'd it to make a dual boot box... I was able to make ALL suid / > sgid binaries in the dt bin segfault (except for dtmail) with a long > $HOME or $PATH or combination of the two... > off the top of my head dtterm was one of them for sure. > > Also the /usr/sbin/recon binary segfaulted very similar to the > OpenServer version. > Just a heads up sorry I didn't think about it sooner. > -KF > > > On Monday, October 1, 2001, at 11:08 AM, sco-security@caldera.com wrote: > >> To: bugtraq@securityfocus.com security- >> announce@lists.securityportal.com announce@lists.caldera.com >> scoannmod@xenitec.on.ca >> >> ___________________________________________________________________________ >> >> Caldera International, Inc. Security Advisory >> >> Subject: Open Unix, UnixWare 7: dtprintinfo environment buffer >> overflow >> Advisory number: CSSA-2001-SCO.22 >> Issue date: 2001 October 1 >> Cross reference: >> ___________________________________________________________________________ >> >> >> >> 1. Problem Description >> >> Very long environment variables will cause the dtprintinfo >> command to overflow a buffer. This could be used by an >> unauthorized user to gain privilege. >> >> >> 2. Vulnerable Versions >> >> Operating System Version Affected Files >> ------------------------------------------------------------------ >> UnixWare 7 All /usr/dt/bin/dtprintinfo >> Open Unix 8.0.0 /usr/dt/bin/dtprintinfo >> >> >> 3. Workaround >> >> None. >> >> >> 4. UnixWare 7 >> >> 4.1 Location of Fixed Binaries >> >> ftp://stage.caldera.com/pub/security/openunix/CSSA-2001-SCO.22/ >> >> >> 4.2 Verification >> >> md5 checksums: >> >> e726067eba0107ac5efd8c1fdb141b0d dtprintinfo.Z >> >> >> md5 is available for download from >> >> ftp://stage.caldera.com/pub/security/tools/ >> >> >> 4.3 Installing Fixed Binaries >> >> Upgrade the affected binaries with the following commands: >> >> # mv /usr/dt/bin/dtprintinfo /usr/dt/bin/dtprintinfo- >> # uncompress /tmp/dtprintinfo.Z >> # cp dtprintinfo /usr/dt/bin >> # cd /usr/dt/bin >> # chown root dtprintinfo >> # chgrp bin dtprintinfo >> # chmod 4555 dtprintinfo >> >> >> 5. References >> >> This and other advisories are located at >> http://stage.caldera.com/support/security >> >> This advisory addresses Caldera Security internal incident >> sr850737. >> >> 6. Disclaimer >> >> Caldera International, Inc. is not responsible for the misuse >> of any of the information we provide on our website and/or >> through our security advisories. Our advisories are a service >> to our customers intended to promote secure installation and >> use of Caldera International products. >> >> >> 7. Acknowledgements >> >> Caldera International wishes to thank KF <dotslash@snosoft.com> >> for discovering and reporting this problem. >> >> >> ___________________________________________________________________________ > <Attachment missing> > --Apple-Mail-1284103789-3 > Content-Type: multipart/mixed; > boundary=Apple-Mail-1304894114-4 > > > --Apple-Mail-1304894114-4 > Content-Transfer-Encoding: 7bit > Content-Type: text/plain; > charset=us-ascii; > format=flowed > > Hey guys I installed OpenUnix again a few days ago and had a few minutes > on it before > I rm -rf'd it to make a dual boot box... I was able to make ALL suid / > sgid binaries in the dt bin segfault (except for dtmail) with a long > $HOME or $PATH or combination of the two... > off the top of my head dtterm was one of them for sure. > > Also the /usr/sbin/recon binary segfaulted very similar to the > OpenServer version. > Just a heads up sorry I didn't think about it sooner. > -KF > > > On Monday, October 1, 2001, at 11:08 AM, sco-security@caldera.com wrote: > >> To: bugtraq@securityfocus.com security- >> announce@lists.securityportal.com announce@lists.caldera.com >> scoannmod@xenitec.on.ca >> >> ___________________________________________________________________________ >> >> Caldera International, Inc. Security Advisory >> >> Subject: Open Unix, UnixWare 7: dtprintinfo environment buffer >> overflow >> Advisory number: CSSA-2001-SCO.22 >> Issue date: 2001 October 1 >> Cross reference: >> ___________________________________________________________________________ >> >> >> >> 1. Problem Description >> >> Very long environment variables will cause the dtprintinfo >> command to overflow a buffer. This could be used by an >> unauthorized user to gain privilege. >> >> >> 2. Vulnerable Versions >> >> Operating System Version Affected Files >> ------------------------------------------------------------------ >> UnixWare 7 All /usr/dt/bin/dtprintinfo >> Open Unix 8.0.0 /usr/dt/bin/dtprintinfo >> >> >> 3. Workaround >> >> None. >> >> >> 4. UnixWare 7 >> >> 4.1 Location of Fixed Binaries >> >> ftp://stage.caldera.com/pub/security/openunix/CSSA-2001-SCO.22/ >> >> >> 4.2 Verification >> >> md5 checksums: >> >> e726067eba0107ac5efd8c1fdb141b0d dtprintinfo.Z >> >> >> md5 is available for download from >> >> ftp://stage.caldera.com/pub/security/tools/ >> >> >> 4.3 Installing Fixed Binaries >> >> Upgrade the affected binaries with the following commands: >> >> # mv /usr/dt/bin/dtprintinfo /usr/dt/bin/dtprintinfo- >> # uncompress /tmp/dtprintinfo.Z >> # cp dtprintinfo /usr/dt/bin >> # cd /usr/dt/bin >> # chown root dtprintinfo >> # chgrp bin dtprintinfo >> # chmod 4555 dtprintinfo >> >> >> 5. References >> >> This and other advisories are located at >> http://stage.caldera.com/support/security >> >> This advisory addresses Caldera Security internal incident >> sr850737. >> >> 6. Disclaimer >> >> Caldera International, Inc. is not responsible for the misuse >> of any of the information we provide on our website and/or >> through our security advisories. Our advisories are a service >> to our customers intended to promote secure installation and >> use of Caldera International products. >> >> >> 7. Acknowledgements >> >> Caldera International wishes to thank KF <dotslash@snosoft.com> >> for discovering and reporting this problem. >> >> >> ___________________________________________________________________________ > > --Apple-Mail-1304894114-4 > Content-Disposition: attachment; > filename="mime-attachment" > Content-Type: application/octet-stream; > name="mime-attachment"; > x-unix-mode=0666 > Content-Transfer-Encoding: 7bit > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.6 (SCO_SV) > Comment: For info see http://www.gnupg.org > > iEYEARECAAYFAju4sQAACgkQaqoBO7ipriHZuwCfc3mewbRNYJKCWBqIRMOVtvKy > ABgAniOhYqovOG8XxHTkqSmtM6BujsSS > =iFZ0 > -----END PGP SIGNATURE----- > > --Apple-Mail-1304894114-4-- > > --Apple-Mail-1284103789-3-- >
