From recon@SNOSOFT.COM Mon Apr  2 05:11:22 2001
From: "Secure Network Operations , Inc." <recon@SNOSOFT.COM>
X-Sender: recon@mail.snosoft.com (Unverified)
To: BUGTRAQ@SECURITYFOCUS.COM
Date: Tue, 27 Mar 2001 13:35:39 +0100
Subject: [BUGTRAQ] SCO 5.0.6 issues (lpshut)

    [The following text is in the "iso-8859-1" character set]
    [Your display is set for the "US-ASCII" character set]
    [Some characters may be displayed incorrectly]

======================================================================
Strategic Reconnaissance Team Security Advisory(SRT2001-04)
Topic: SCO 5.0.6 issues (lpshut)
Vendor: SCO
Release Date: 03/27/01
======================================================================
.: Description
SCO OpenServer 5.0.6 ships with suid bin 
/opt/K/SCO/Unix/5.0.6Ga/usr/lib/lpshut.
lpshut has poor handling of command line arguments resulting in a buffer 
overflow.
lpshut will core dump if fed more than 6239 chars.

.: Impact
/opt/K/SCO/Unix/5.0.6Ga/usr/lib/lpshut `perl -e 'print "A" x 7000'`
Memory fault - core dumped

This problem makes it possible to overwrite memory space of the running 
process,
and potentially execute code with the inherited privileges of bin.

.: Workaround
chmod -s /opt/K/SCO/Unix/5.0.6Ga/usr/lib/lpshut

.: Systems Affected
SCO OpenServer 5.0.6 upgrade from 5.0.x and 5.0.6 fresh install.

.: Proof of Concept
To be released at a later time.

.: Vendor Status
Vendor was notified on 03/22/01. Vendor lab tests confirmed the issue. Patch
status is unknown.

.: Credit
Kevin Finisterre
dotslash@snosoft.com, krfinisterre@checkfree.com

======================================================================
©Copyright 2001 Secure Network Operations , Inc.  All Rights Reserved.
Strategic Reconnaissance Team | recon@snosoft.com
http://recon.snosoft.com     | http://www.snosoft.com
----------------------------------------------------------------------