1. /
  2. Security Response/
  3. Multiple Sun Database Functions Buffer Overflow Vulnerabilities

Multiple Sun Database Functions Buffer Overflow Vulnerabilities

Risk

High

Date Discovered

June 19, 2003

Description

Sun dbm_open(), ndbm(), dbm() and dbminit() library functions have been reported prone to buffer overflow vulnerabilities. Each of these issues likely present themselves due to a lack of sufficient bounds checking performed when copying externally supplied data into an internal memory buffer. Excessive data supplied to one of the functions will overrun the boundary of the assigned buffer and corrupt adjacent memory. It should be noted that the vendor has discussed that the Solaris Xsun application is linked to the vulnerable library and runs as a privileged application. Therefore it may be possible for a local or remote attacker to exploit this condition to obtain root privileges.

Technologies Affected

  • Oracle Solaris 8
  • Oracle Solaris 9
  • Sun Solaris 2.6
  • Sun Solaris 2.6 X86
  • Sun Solaris 7.0
  • Sun Solaris 7.0 X86
  • Sun Solaris 8 Sparc
  • Sun Solaris 8 X86
  • Sun Solaris 9 Sparc
  • Sun Solaris 9 X86
  • Sun SunOS 5.9.0
  • Sun SunOS 5.9.0 X86

Recommendations

Audit the system and limit, or remove, access to setuid or setgid utilities.

Disabling setuid permissions on unnecessary programs may prevent the exploitation of latent vulnerabilities such as this. If setuid capabilities are required, restrict execute access to a trusted group.

Permit local access for trusted individuals only. Where possible, use restricted environments and restricted shells.

Do not permit such access except to trusted individuals.

Block external access at the network boundary, unless external parties require service.

If applicable, block external access to the affected system at the network boundary. Allow access for trusted users, hosts and networks only.

Run all software as a nonprivileged user with minimal access rights.

If applicable, run all server processes with the least possible privileges that allow normal functionality, in a chroot or jailed environment.

Implement multiple redundant layers of security.

An attackers ability to exploit this vulnerability, to execute arbitrary code, may be hindered through the use of various memory protection schemes. Where possible, implement the use of non-executable and randomly mapped memory segments.
This vendor has reported that this issue is addressed in the following releases; links to the patches can be obtained in the referenced advisory: SPARC Platform Solaris 2.6 with patches 105210-47, 105377-06 and 105401-43 or later for each listed patch Solaris 7 with patches 106541-22, 106942-26 and 106949-03 or later for each listed patch Solaris 8 with patches 108827-24, 108993-16 and 109152-02 or later for each listed patch Solaris 9 with patches 112874-01, 112922-02, 113319-10, 114569-02 and 114571-01 or later for each listed patch x86 Platform Solaris 2.6 with patches 105211-49 and 105402-43 or later for each listed patch Solaris 7 with patches 106542-22 and 106943-26 or later for each listed patch Solaris 8 with patches 108828-25, 108994-16 and 114617-01 or later for each listed patch Solaris 9 with patches 113719-03, 114570-01 and 114715-01 or later for each listed patch Fixes:

Credits

The vendor has announced this vulnerability.
Copyright © Symantec Corporation.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from secure@symantec.com.

Disclaimer
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Symantec, Symantec products, Symantec Security Response, and secure@symantec.com are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.

Threat Intelligence

Subscribe
Follow the Threat Intelligence Twitter feed
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver