SCO OpenServer NWPrint Command Line Argument Local Buffer Overflow Vulnerability

Bugtraq ID:	12986
Class:	Boundary Condition Error
CVE:	CVE-2005-0993
Remote:	No
Local:	Yes
Published:	Apr 04 2005 12:00AM
Updated:	Jul 12 2009 11:56AM
Credit:	Discovery of this vulnerability is credited to pasquale minervini <[email protected]>.
Vulnerable:	SCO Open Server 5.0.7 SCO Open Server 5.0.6
Not Vulnerable:

SCO OpenServer NWPrint Command Line Argument Local Buffer Overflow Vulnerability

nwprint that is distributed with SCO OpenServer is prone to a local buffer overflow vulnerability. This issue arises because the application fails to perform boundary checks prior to copying user-supplied data into sensitive process buffers. A local attacker can gain elevated privileges (lp user) by exploiting this issue.

SCO OpenServer NWPrint Command Line Argument Local Buffer Overflow Vulnerability

The following exploit is available:

• /data/vulnerabilities/exploits/nwprintex.c

SCO OpenServer NWPrint Command Line Argument Local Buffer Overflow Vulnerability

Solution:
SCO has released security advisory SCOSA-2005.26 addressing this issue. Please see the referenced advisory for details on obtaining and applying the appropriate updates.


SCO Open Server 5.0.6

• SCO SCOSA-2005.26
  ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2005.26

SCO Open Server 5.0.7

• SCO osr507list.html
  http://www.sco.com/support/update/download/osr507list.html

SCO OpenServer NWPrint Command Line Argument Local Buffer Overflow Vulnerability

References:

• SCO OpenServer Home Page (SCO)
  
• possible privilege escalation on Sco OpenServer 5.0.7 (pasquale minervini )