CDE dtmail argv format string attack
| dtmail-argv-format-string (17095) |  High Risk |
Description:
The Common Desktop Environment (CDE) dtmail program is vulnerable to a format string attack. A local attacker could supply a specially-crafted argv[0] containing format string characters to execute arbitrary code on the system with mail group privileges.
Consequences:
Gain Privileges
Remedy:
Apply the appropriate patch for your system, as listed below. Refer to Sun Alert ID: 57627 for more information. See References.
SPARC Platform
CDE 1.4 for Solaris 8: 109613-07 or later
CDE 1.5 for Solaris 9: 112810-06 or later
x86 Platform
CDE 1.4 for Solaris 8: 109614-07 or later
CDE 1.5 for Solaris 9: 113870-05 or later
As a workaround, follow the instructions as listed in Sun Alert ID: 57627. See References.
References:
- CIAC Information Bulletin 0-202: Buffer Overflow in the CDE Mailer dtmail(1X).
- iDEFENSE Security Advisory 08.24.04: CDE Mailer argv[0] Format String Vulnerability .
- Sun Alert ID: 57627: Buffer Overflow in the CDE Mailer dtmail(1X).
- BID-11027: Sun DtMail Local Command Line Format String Vulnerability
- CVE-2004-0800: Format string vulnerability in CDE Mailer (dtmail) on Solaris 8 and 9 allows local users to gain privileges via format strings in the argv[0] value.
- US-CERT VU#928598: Sun Solaris dtmail contains a format string vulnerability
Platforms Affected:
- Sun Solaris 8
- Sun Solaris 9
Reported:
Aug 24, 2004
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net