Date: Tue, 27 Mar 2001 13:39:05 +0100
From: "Secure Network Operations , Inc." <[email protected]>
To: [email protected]Subject: SCO 5.0.6 issues (recon)
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Strategic Reconnaissance Team Security Advisory(SRT2001-02)
Topic: SCO 5.0.6 issues (recon)
Vendor: SCO
Release Date: 03/27/01
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
.: Description
SCO OpenServer 5.0.6 ships with a suid root=20
/opt/K/SCO/Unix/5.0.6Ga/usr/bin/recon.
Recon has poor handling of command line arguments resulting in a buffer=20
overflow.
The core is dumped upon feeding recon more than 1315 chars
.: Impact
/opt/K/SCO/Unix/5.0.6Ga/usr/bin/recon `perl -e 'print "A" x 3000'`
Memory fault - core dumped
This problem makes it possible to overwrite memory space of the running=20
process,
and potentially execute code with the inherited privileges of root.
.: Workaround
chmod -s /opt/K/SCO/Unix/5.0.6Ga/usr/bin/recon
.: Systems Affected
SCO OpenServer 5.0.6 upgrade from 5.0.x and 5.0.6 fresh install.
.: Proof of Concept
To be released at a later time.
.: Vendor Status
Vendor was notified on 03/22/01. Vendor lab tests confirmed the issue. Patch
status is unknown.
.: Credit
Kevin Finisterre
[email protected], [email protected]
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=A9Copyright 2001 Secure Network Operations , Inc. All Rights Reserved.
Strategic Reconnaissance Team | [email protected]http://recon.snosoft.com | http://www.snosoft.com
----------------------------------------------------------------------
