SAS SASTCPD Local Root Code Execution Vulnerability

sastcpd is a "Job Spawner" included with the base installation of the SAS Software infrastructure. It is available for various platforms, including Unix, Linux, and Microsoft operating systems.

sastcpd passes environment variables directly to an execve call. As sastcpd is installed suid root by default, this can lead to the execution of arbitrary programs as the root user. Exploitation of this vulnerability will lead directly to local compromise of the root user.


 

Privacy Statement
Copyright 2010, SecurityFocus