- 1 Vapor IO Brings OpenDCRE to General Availability
- 2 VMware Takes the Wraps Off vRealize Automation and vRealize Business
- 3 Microsoft Previews Hyper-V Containers for Windows Server 2016
- 4 Mirantis Led FUEL Project Gets Installed Under OpenStack Big Tent
- 5 Red Hat Enterprise Linux 7.2 Adds Security, DR Features
Bugtraq: Vulnerability in Solaris mailtool(1)
The mailtool program is installed setgid mail by default in Solaris, a buffer overrun exists in the OPENWINHOME environment variable. By specifying a long environment buffer containing machine executable code, it is possible to execute arbitrary command(s) as gid mail.
Date: Mon, 28 May 2001 11:46:13 +0200 (CEST) From: dethy <email@example.com> Subject: [synnergy] - Solaris mailtool(1) buffer overflow vulnerability Vulnerability in Solaris mailtool(1) Date Published: May 29, 2001 Advisory ID: N/A Bugtraq ID: N/A Sun Bug ID: 4458476 CVE CAN: Non currently assigned. Title: Solaris mailtool(1) Buffer Overflow Vulnerability Class: Boundary Error Condition Remotely Exploitable: No Locally Exploitable: Yes Vulnerable Packages/Systems: Solaris 8 x86 Solaris 8 sparc [possibly others] Discovery: firstname.lastname@example.org Synopsis: The mailtool program is installed setgid mail by default in Solaris, a buffer overrun exists in the OPENWINHOME environment variable. By specifying a long environment buffer containing machine executable code, it is possible to execute arbitrary command(s) as gid mail. Analysis: The vulnerability in mailtool incorrectly handles data from the OPENWINHOME environment variable, if this variable exceeds a predefined length a stack overflow can occur. bash-2.03# export OPENWINHOME='perl -e 'print "A"x1010'' bash-2.03# mailtool Segmentation Fault 'truss' output: Incurred fault #6, FLTBOUNDS %pc = 0xDF8BD448 siginfo: SIGSEGV SEGV_MAPERR addr=0x4141414D Received signal #11, SIGSEGV [default] siginfo: SIGSEGV SEGV_MAPERR addr=0x4141414D *** process killed *** Quick Fix: Clear the sgid bit off the /usr/openwin/bin/mailtool program. chmod -s 'which mailtool' Solution/Vendor: Sun Microsystems was notified on May 14, 2001 and verified the vulnerability. Patches/fixes are shortly to be released. Related Links: This vulnerability is unrelated to the Solaris 7/8 ximp40 shared library overflow discovered earlier in the year: http://www.securityfocus.com/archive/1/159586 Credits : Vulnerability discovered by dethy (email@example.com) Synnergy Networks http://www.synnergy.net