Solaris cu Buffer Overflow Vulnerability

Bugtraq ID:	2253
Class:	Boundary Condition Error
CVE:
Remote:	Yes
Local:	Yes
Published:	Jan 17 2001 12:00AM
Updated:	Jan 17 2001 12:00AM
Credit:	Reported to bugtraq by Pablo Sor <[email protected]> on Wed, 17 Jan 2001
Vulnerable:	Sun Solaris 2.5.1 Sun Solaris 8_x86 Sun Solaris 8_sparc Sun Solaris 7.0 Sun Solaris 2.6 Sun Solaris 2.5 Sun Solaris 2.4
Not Vulnerable:

Solaris cu Buffer Overflow Vulnerability

"cu" is a unix communications program. It is usually installed with enhanced privileges so that it may access hardware communications hardware.

The version of /usr/bin/cu that ships with Solaris contains a buffer overflow vulnerability.

The problem occurs when it copies argv[0] to an internal variable without bounds checking. As a result, if argv[0] exceeds the length of the destination buffer, it will be copied over neighbouring data on the stack.

It may be possible for a local attacker to exploit this vulnerability to gain effective group-id 'uucp'. This may lead to a root compromise.

Solaris cu Buffer Overflow Vulnerability

Solution:
Sun has released a patches to address this issue for Sun Solaris 8:


Sun Solaris 8_x86

• Sun 111072-01
  http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21 -111072-01-1

Sun Solaris 8_sparc

• Sun 111071-01
  http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21 -111071-01-1

Solaris cu Buffer Overflow Vulnerability

References: