Vulnerability Note VU#36866

Solaris ufsrestore buffer overflow in command pathname parameters for interactive session

Overview

There is a buffer overflow in ufsrestore, a file restoration utility.

I. Description

When operating in interactive mode, the pathname parameter of the extract command is not properly bounds checked. When used in conjunction with long pathnames contained in the dump file, an internal buffer can be overflowed, allowing an attacker to overwrite memory and gain root privileges.

II. Impact

A local user can gain root privileges by exploiting this vulnerability.

III. Solution

Apply a Patch

Apply a patch from your vendor.

Disable the setuid bit on ufsrestore

You can prevent this vulnerability from being exploited by removing the setuid bit from ufsrestore.

Systems Affected

Vendor	Status	Date Notified	Date Updated
Sun	Vulnerable	19-Nov-2001

References

http://www.securityfocus.com/bid/1348
http://www.securityfocus.com/archive/1/64837
http://sunsolve.sun.com/private-cgi/retrieve.pl?doctype=coll&doc=secbull/210&type=0&nav=sec.sba

Credit

Thanks to Job de Haas (job@itsx.com) of ITSX BV Amsterdam, The Netherlands (http://www.itsx.com) for reporting this vulnerability to the CERT/CC.

This document was written by Cory F Cohen.

Other Information

Date Public:	2000-06-14
Date First Published:	2001-04-06
Date Last Updated:	2001-11-19
CERT Advisory:
CVE-ID(s):	CVE-2000-0471
NVD-ID(s):	CVE-2000-0471
US-CERT Technical Alerts:
Metric:	16.71
Document Revision:	12

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Get Adobe Reader