mailing list archives
Security Update: [CSSA-2002-SCO.12] Open UNIX, UnixWare 7: rpc.cmsd can be remotely exploited
From: security () caldera com
Date: Wed, 20 Mar 2002 15:12:33 -0800
To: bugtraq () securityfocus com announce () lists caldera com scoannmod () xenitec on ca
Caldera International, Inc. Security Advisory
Subject: Open UNIX, UnixWare 7: rpc.cmsd can be remotely exploited
Advisory number: CSSA-2002-SCO.12
Issue date: 2002 March 20
1. Problem Description
The rpc.cmsd command would overflow a buffer under certain
circumstances, allowing the possibility of a remote user to
The exploit code provided by jGgM requests program 100068
version 4 on UDP (implemented by /usr/dt/bin/rpc.cmsd) and
then does a single RPC call to procedure 21 (rtable_create)
passing 2 strings, one of which creates a buffer overflow.
args is of type Table_Op_Args_4: 2 client supplied strings as
args->target and args->new_target. "new_target" is never used
and "target" creates the overflow later on.
_DtCmGetPrefix will overflow its local variable "buf" if the
"sep" parameter that ends the prefix is not present.
A secondary problem may also occur because
_DtCm_rtable_create_4_svc does not make sure that the length
of args->target is < BUFSIZ.
2. Vulnerable Supported Versions
Operating System Version Affected Files
UnixWare 7 7.1.1 /usr/dt/bin/rpc.cmsd
Open UNIX 8.0.0 /usr/dt/bin/rpc.cmsd
4. UnixWare 7, Open UNIX 8
4.1 Location of Fixed Binaries
MD5 (erg711942b.Z) = 64d49dcd622cccbb2e7553e2706bc33d
md5 is available for download from
4.3 Installing Fixed Binaries
Upgrade the affected binaries with the following commands:
Download erg711942b.Z to the /var/spool/pkg directory
# uncompress /var/spool/pkg/erg711942b.Z
# pkgadd -d /var/spool/pkg/erg711942b
Specific references for this advisory:
Caldera UNIX security resources:
Caldera OpenLinux security resources:
This advisory addresses Caldera Security internal incidents
sr858623, fz519829, erg711942.
Caldera International, Inc. is not responsible for the misuse
of any of the information we provide on our website and/or
through our security advisories. Our advisories are a service
to our customers intended to promote secure installation and
use of Caldera International products.
This vulnerability was discovered and researched by jGgM
<jggm () mail com>.
- Security Update: [CSSA-2002-SCO.12] Open UNIX, UnixWare 7: rpc.cmsd can be remotely exploited security (Mar 21)