Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:2858
HistoryApr 30, 2002 - 12:00 a.m.

eSecurityOnline Security Advisory 2397 - Sun Solaris admintool -d and PRODVERS buffer overflow vulnerabilities

2002-04-3000:00:00
vulners.com
15

EPSS

0.001

Percentile

32.8%

JSON

eSO Security Advisory: 2397
Discovery Date: March 28, 2000
ID: eSO:2397
Title: Sun Solaris admintool -d and PRODVERS buffer
overflow vulnerabilities
Impact: Local attackers can gain root privileges
Affected Technology: Solaris 2.5, 2.5.1, 2.6, 7, 8 SPARC and x86
Vendor Status: Patches are available
Discovered By: Kevin Kotas of the eSecurityOnline Research
and Development Team
CVE Reference: CAN-2002-0089

Advisory Location:
http://www.eSecurityOnline.com/advisories/eSO2397.asp

Description:
The Sun Solaris admintool utility is vulnerable to multiple buffer
overflow conditions that allow a local attacker to gain root access.
The problems are due to insufficient bounds checking on command line
options and on a configuration file variable. An attacker can use a
carefully constructed string with the -d command line option or with
the PRODVERS .cdtoc file variable to gain root privileges.

The first buffer overflow is related to command line execution of
admintool with the -d switch, when a long string is used with
"/Solaris" present.

The second buffer overflow occurs due to a lack of bounds checking
for the PRODVERS argument in the .cdtoc file. The .cdtoc file is used
to specify variables for installation media. Through the
software/edit/add feature, a local directory can be specified that
contains a .cdtoc file. The file can contain a string of data for
the PRODVERS variable that will cause the program to crash or execute
code when processed.

Technical Recommendation:
Apply the following patches.

Solaris 2.5:
103247-16

Solaris 2.5_x86:
103245-16

Solaris 2.5.1:
103558-16

Solaris 2.5.1_x86:
103559-16

Solaris 2.6:
105800-07

Solaris 2.6_x86:
105801-07

Solaris 7:
108721-02

Solaris 7_x86:
108722-02

Solaris 8:
10453-01

Solaris 8_x86:
110454-01

As a workaround solution, remove the setuid permissions with the following:
chmod -s /usr/bin/admintool

Vendor site:
http://sunsolve.sun.com

Acknowledgements:
eSecurityOnline would like to thank Sun Microsystems and the Sun security
team for their cooperation in resolving the issue.

Copyright 2002 eSecurityOnline LLC. All rights reserved.

THE INFORMATION IN THIS VULNERABILITY ALERT IS PROVIDED BY
ESECURITYONLINE LLC "AS IS", "WHERE IS", WITH NO WARRANTY OF ANY KIND,
AND ESECURITYONLINE LLC HEREBY DISCLAIMS THE IMPLIED WARRANTIES OF
NON-INFRINGEMENT, MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE. ESECURITYONLINE LLC SHALL HAVE NO LIABILITY FOR ANY DAMAGE,
CLAIM OR LOSS RESULTING FROM YOUR USE OF THE INFORMATION CONTAINED IN
THIS VULNERABILITY ALERT.

Related

cvelist 1
nvd 1
openvas 2
cve 1
cvelist
cvelist
CVE-2002-0089
2002-03-07 05:00:00
nvd
nvd
CVE-2002-0089
2002-03-15 05:00:00
openvas
openvas
Solaris Update for admintool 110453-04
2009-06-03 00:00:00
Solaris Update for admintool 110453-04
2009-06-03 00:00:00
cve
cve
CVE-2002-0089
2002-03-15 05:00:00

EPSS

0.001

Percentile

32.8%

JSON
Related for SECURITYVULNS:DOC:2858
cvelist1nvd1openvas2cve1