COMMAND

    /usr/bin/doscmd

SYSTEMS AFFECTED

    BSDI 3.1, FreeBSD

PROBLEM

    kasper  found   following.   He   found  a   buffer  overflow   in
    /usr/bin/doscmd distributed with BSDI 3.1..  For example:

        finally:~ $ /usr/bin/doscmd `perl -e 'print "A" x 1015'`
        Segmentation fault

    doscmd is  setuid executable  as well.   This was  not "tested" on
    anything  other  than  2  BSDI  3.1  (x86)  machines.  Warner Losh
    confirmed same on FreeBSD.  On FreeBSD, where doscmd wasn't  built
    by default until  quite recently, we  have same behaviour.   There
    are several  others that  were hard  to find/fix  and one can move
    the buffer overflow to a place  later in the program.  It  appears
    that much work  will need to  be done to  rid this program  of the
    buffer  overflows  from  this  one,  simple  example.   The buffer
    overflows  look  like  they  could  be  exploitable,  at  least in
    FreeBSD's  version  (core  files  that  show an illegal address of
    0x41414141).

SOLUTION

    Nothing yet.  Take the precaution of removing the setgid kmem  bit
    from the installed binary until these issues can be resolved.