|
|
Info |
Last Modified |
| 8 months ago |
|
|
|
|
Description |
A local overflow exists in the Common Desktop Environment (CDE) dtmail program. dtmail fails to sanitize format string characters passed on the command line resulting in a heap overflow. With a specially crafted format string, an attacker can cause arbitrary code to be executed with the privledges of the mail group resulting in a loss of confidentiality, integrity, or availability.
|
|
Classification |
Location:
Local Access Required
Attack Type:
Input Manipulation
Impact:
Loss of Integrity
Exploit:
Exploit Available
Disclosure:
OSVDB Verified
|
|
Technical |
This vulerability is due to poor implementation of a print function which allows a user supplied format to be processed via the argv[0] value. For successful exploitation a local attacker would craft special format string characters to pass to argv[0], causing an overflow where arbitrary code can be execute. Program arguments are copied onto the heap before being processed. This is why systems with non-executable stack protection are also affected.
|
|
Solution |
Upgrade CDE with the latest patches referenced by the vendor, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround(s):
Remove the "set-group-ID" bit from dtmail(1X) by doing the following:
# chmod 0555 /usr/dt/bin/dtmail
|
|
Products |
|
CDE
 |
1.4 for Solaris 8 SPARC |
1.5 for Solaris 9 SPARC |
1.4 for Solaris 8 x86 |
1.5 for Solaris 9 x86 |
1.x for Solaris 7 |
|
|
|
|
|
|
Credit |
- iDEFENSE - idlabs-advisories
 idefense.com - iDEFENSE
|
|
BlogsProvided by Technorati
|
None found at this time
|
|
|
