From recon@SNOSOFT.COM Mon Apr 2 05:11:36 2001 From: "Secure Network Operations , Inc." X-Sender: recon@mail.snosoft.com (Unverified) To: BUGTRAQ@SECURITYFOCUS.COM Date: Tue, 27 Mar 2001 13:39:54 +0100 Subject: [BUGTRAQ] SCO 5.0.6 MMDF issues (sendmail 8.9.3) [The following text is in the "iso-8859-1" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] ====================================================================== Strategic Reconnaissance Team Security Advisory(SRT2001-01) Topic: SCO 5.0.6 MMDF issues (sendmail 8.9.3) Vendor: SCO Release Date: 03/27/01 ====================================================================== .: Description SCO OpenServer 5.0.6 ships with a previously known buggy MMDF package. SCO Security Bulletin 2000.06 states "Recently Network Associates, Inc. issued a SECURITY ADVISORY against all versions of MMDF prior to the beta release 2.44a-B4" however SCO still released OpenServer 5.0.6 with version 2.43.3b of MMDF. The sendmail 8.9.3 binary has poor handling of command line arguments resulting in a buffer overflow. .: Impact /opt/K/SCO/MMDF/2.43.3b/usr/lib/sendmail `perl -e 'print "A" x 3000'` Memory fault - core dumped This problem makes it possible to overwrite memory space of the running process, and potentially execute code with the inherited privileges of the mmdf subsystem. uid=17(mmdf) gid=22(mmdf) groups=22(mmdf) .: Workaround chmod -s /opt/K/SCO/MMDF/2.43.3b/usr/lib/sendmail upgrade to a newer version of MMDF. .: Systems Affected SCO OpenServer 5.0.6 upgrade from 5.0.x and 5.0.6 fresh install. .: Proof of Concept To be released at a later time. Existing 5.0.x sendmail exploits may be valid. .: Vendor Status Vendor was notified on 03/22/01. Vendor lab tests confirmed the issue. Patch status is unknown. .: References Original SCO advisory ftp://ftp.sco.com/SSE/security_bulletins/SB-00.06a .: Credit Kevin Finisterre dotslash@snosoft.com, krfinisterre@checkfree.com ====================================================================== ©Copyright 2001 Secure Network Operations , Inc. All Rights Reserved. Strategic Reconnaissance Team | recon@snosoft.com http://recon.snosoft.com | http://www.snosoft.com ----------------------------------------------------------------------