eSO Security Advisory: 2397 
Discovery Date: March 28, 2000 
ID: eSO:2397 
Title: Sun Solaris admintool -d and PRODVERS buffer 
                        overflow vulnerabilities 
Impact: Local attackers can gain root privileges 
Affected Technology: Solaris 2.5, 2.5.1, 2.6, 7, 8 SPARC and x86 
Vendor Status: Patches are available 
Discovered By: Kevin Kotas of the eSecurityOnline Research 
                        and Development Team 
CVE Reference: CAN-2002-0089 

Advisory Location: 
http://www.eSecurityOnline.com/advisories/eSO2397.asp 

Description: 
The Sun Solaris admintool utility is vulnerable to multiple buffer 
overflow conditions that allow a local attacker to gain root access. 
The problems are due to insufficient bounds checking on command line 
options and on a configuration file variable. An attacker can use a 
carefully constructed string with the -d command line option or with 
the PRODVERS .cdtoc file variable to gain root privileges. 

The first buffer overflow is related to command line execution of 
admintool with the -d switch, when a long string is used with 
"/Solaris" present. 

The second buffer overflow occurs due to a lack of bounds checking 
for the PRODVERS argument in the .cdtoc file. The .cdtoc file is used 
to specify variables for installation media. Through the 
software/edit/add feature, a local directory can be specified that 
contains a .cdtoc file. The file can contain a string of data for 
the PRODVERS variable that will cause the program to crash or execute 
code when processed. 

Technical Recommendation: 
Apply the following patches. 

Solaris 2.5: 
103247-16 

Solaris 2.5_x86: 
103245-16 

Solaris 2.5.1: 
103558-16 

Solaris 2.5.1_x86: 
103559-16 

Solaris 2.6: 
105800-07 

Solaris 2.6_x86: 
105801-07 

Solaris 7: 
108721-02 

Solaris 7_x86: 
108722-02 

Solaris 8: 
10453-01 

Solaris 8_x86: 
110454-01 

As a workaround solution, remove the setuid permissions with the following: 
chmod -s /usr/bin/admintool 

Vendor site: 
http://sunsolve.sun.com 

Acknowledgements: 
eSecurityOnline would like to thank Sun Microsystems and the Sun security 
team for their cooperation in resolving the issue. 

Copyright 2002 eSecurityOnline LLC. All rights reserved. 

THE INFORMATION IN THIS VULNERABILITY ALERT IS PROVIDED BY 
ESECURITYONLINE LLC "AS IS", "WHERE IS", WITH NO WARRANTY OF ANY KIND, 
AND ESECURITYONLINE LLC HEREBY DISCLAIMS THE IMPLIED WARRANTIES OF 
NON-INFRINGEMENT, MERCHANTABILITY AND FITNESS FOR A PARTICULAR 
PURPOSE. ESECURITYONLINE LLC SHALL HAVE NO LIABILITY FOR ANY DAMAGE, 
CLAIM OR LOSS RESULTING FROM YOUR USE OF THE INFORMATION CONTAINED IN 
THIS VULNERABILITY ALERT.