BugTraq
NSFOCUS SA2003-03: Solaris dtsession Heap Buffer Overflow Vulnerability Mar 31 2003 10:10AM
NSFCOSU Security Team (security nsfocus com) (1 replies)
Re: NSFOCUS SA2003-03: Solaris dtsession Heap Buffer Overflow Vulnerability Apr 01 2003 06:35AM
Alan Kong (kkkong ee cuhk edu hk)
Dear All,

I wonder Sunsolve has update the security patches.

The following patches are still:

Solaris 2.6 106027-11
Solaris 2.6_x86 106028-11
Solaris 7 107702-11
Solaris 7_x86 107703-11
Solaris 8 109354-18

Regards
Alan

NSFCOSU Security Team wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>NSFOCUS Security Advisory(SA2003-03)
>
>Topic: Solaris dtsession Heap Buffer Overflow Vulnerability
>
>Release Date: 2003-03-31
>
>CVE CAN ID: CAN-2003-0092
>
>Affected system:
>===================
>
>Sun Solaris 2.5.1 (SPARC/x86)
>Sun Solaris 2.6 (SPARC/x86)
>Sun Solaris 7 (SPARC/x86)
>Sun Solaris 8 (SPARC/x86)
>Sun Solaris 9 (SPARC/x86)
>
>Summary:
>=========
>
>NSFOCUS Security Team has found a buffer overflow vulnerability in dtsession
>which is an application in Sun Solaris system. Exploiting the vulnerability
>local attackers could gain root privilege.
>
>Description:
>============
>
>dtsession is a CDE session manager. It provides session management functionality
>that is compatible to ICCCM 1.1 during the users' session (from login to
>logout). It launches a window manager and allows to save/restore/lock session,
>to launch screen saver, and to allocate colors for desktop compatible clients.
>
>By default setuid root bit is set to CDE dtsession which is shipped
>with Solaris. Because valid length check has not been implemented when
>handling HOME variable, attackers could cause a heap buffer overflow. By
>carefully crafting data attackers could run arbitrary code with root privilege.
>
>Workaround:
>=============
>
>NSFOCUS suggests to disable suid root bit of dtsession temporarily:
># chmod a-s /usr/dt/bin/dtsession
>
>Note: This might prevent a user from being to unlock the screen
>by the list of keyholders (including root).
>
>Vendor Status:
>==============
>
>2002-12-11 Informed the vendor.
>2002-12-13 The vendor confirmed the vulnerability.
>2003-03-31 The vendor released a Sun Alert and patches for this issue.
>
>The Sun Alert is available at:
>http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert/52388
>
>The patches are:
>
>Solaris 2.6 106027-12
>Solaris 2.6_x86 106028-12
>Solaris 7 107702-12
>Solaris 7_x86 107703-12
>Solaris 8 109354-19
>Solaris 8_x86 109355-18
>Solaris 9 114497-01
>Solaris 9_x86 114498-01
>
>
>Additional Information:
>========================
>
>The Common Vulnerabilities and Exposures (CVE) project has assigned the
>name CAN-2003-0092 to this issue. This is a candidate for inclusion in the
>CVE list (http://cve.mitre.org), which standardizes names for security
>problems. Candidates may change significantly before they become official
>CVE entries.
>
>DISCLAIMS:
>==========
>THE INFORMATION PROVIDED IS RELEASED BY NSFOCUS "AS IS" WITHOUT WARRANTY
>OF ANY KIND. NSFOCUS DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED,
>EXCEPT FOR THE WARRANTIES OF MERCHANTABILITY. IN NO EVENTSHALL NSFOCUS
>BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
>INCIDENTAL,CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,
>EVEN IF NSFOCUS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
>DISTRIBUTION OR REPRODUCTION OF THE INFORMATION IS PROVIDED THAT THE
>ADVISORY IS NOT MODIFIED IN ANY WAY.
>
>Copyright 1999-2003 NSFOCUS. All Rights Reserved. Terms of use.
>
>
>NSFOCUS Security Team <security (at) nsfocus (dot) com [email concealed]>
>NSFOCUS INFORMATION TECHNOLOGY CO.,LTD
>(http://www.nsfocus.com)
>
>PGP Key: http://www.nsfocus.com/homepage/research/pgpkey.asc
>Key fingerprint = F8F2 F5D1 EF74 E08C 02FE 1B90 D7BF 7877 C6A6 F6DA
>
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.0.7 (GNU/Linux)
>
>iD8DBQE+iBQm1794d8am9toRAv3WAJ4994uHKPzSHnebVe+yIVszubgXlACfZTGU
>CLatpbfB4pgze6IDBpxPOqc=
>=16Ev
>-----END PGP SIGNATURE-----
>

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus