Vulnerability Note VU#36866
Solaris ufsrestore buffer overflow in command pathname parameters for interactive session
Overview
There is a buffer overflow in ufsrestore, a file restoration utility.
Description
When operating in interactive mode, the pathname parameter of the extract command is not properly bounds checked. When used in conjunction with long pathnames contained in the dump file, an internal buffer can be overflowed, allowing an attacker to overwrite memory and gain root privileges. |
Impact
A local user can gain root privileges by exploiting this vulnerability. |
Solution
Apply a Patch Apply a patch from your vendor. |
Disable the setuid bit on ufsrestore
|
Systems Affected
| Vendor | Status | Date Notified | Date Updated |
|---|---|---|---|
| Sun | Vulnerable | 17 Mar 2001 | 20 Apr 2002 |
CVSS Metrics (Learn More)
| Group | Score | Vector |
|---|---|---|
| Base | N/A | N/A |
| Temporal | N/A | N/A |
| Environmental | N/A | N/A |
References
- http://www.securityfocus.com/bid/1348
- http://www.securityfocus.com/archive/1/64837
- http://sunsolve.sun.com/private-cgi/retrieve.pl?doctype=coll&doc=secbull/210&type=0&nav=sec.sba
Credit
Thanks to Job de Haas (job@itsx.com) of ITSX BV Amsterdam, The Netherlands (http://www.itsx.com) for reporting this vulnerability to the CERT/CC.
This document was written by Cory F Cohen.
Other Information
- CVE IDs: CVE-2000-0471
- Date Public: 14 Jun 2000
- Date First Published: 06 Apr 2001
- Date Last Updated: 19 Nov 2001
- Severity Metric: 16.71
- Document Revision: 12
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.
This product is provided subject to the Notification as indicated here: http://www.us-cert.gov/legal.html#notify
