dcsimg

Solaris /opt/SUNWssp/bin/cb_reset Vulnerability

By ServerWatch Staff (Send Email)
Posted Jun 21, 2001


A problem with the cb_reset setuid root command included in the SUNWssp package results in a buffer overflow and potentially the execution of arbitraty code.

Date: Wed, 20 Jun 2001 12:30:59 -0400
From: Pablo Sor <psor@afip.gov.ar>
Subject: Solaris /opt/SUNWssp/bin/cb_reset Vulnerability

Vulnerability in Solaris /opt/SUNWssp/bin/cb_reset

Date Published: June 12, 2001

Advisory ID: N/A

Bugtraq ID: N/A

CVE CAN: Non currently assigned.

Title: Solaris /opt/SUNWssp/bin/cb_reset Buffer Overflow Vulnerability

Class: Boundary Error Condition

Remotely Exploitable: No

Locally Exploitable: Yes

Vulnerability Description:

A problem with the cb_reset setuid root command included in the SUNWssp package 
(not in the standard install), results in a buffer overflow and potentially 
the execution of arbitraty code.
Due to the insufficient handling of input parameter, a buffer overflow at 600 
characters makes it possible to overwrite variables on the stack including 
the return address.

Vulnerable Packages/Systems:

SunOS 5.8 (have not tested on other version)

Solution/Vendor Information/Workaround:

Sun Microsystems was notified on June 12, 2001. Patches are excepted shortly.

Credits:

This vulnerability was discovered by Pablo Sor, Buenos Aires, Argentina.

This advisory was drafted with the help of the SecurityFocus.com Vulnerability
Help Team. For more information or assistance drafting advisories please mail
vulnhelp@securityfocus.com.

Technical Description :

$ uname -a
SunOS laika 5.8 Generic_108528-07 sun4u sparc SUNW,Ultra-5_10

$ ls /tftpboot/cb_port
/tftpboot/cb_port

$ /opt/SUNWssp/bin/cb_reset 'perl -e 'print "A"x600''
Resetting host
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Page 1 of 2


Comment and Contribute

Your name/nickname

Your email

(Maximum characters: 1200). You have characters left.