COMMAND

    lpadmin

SYSTEMS AFFECTED

    SCO OpenServer 5.0.6 upgrade from 5.0.x and 5.0.6 fresh install

PROBLEM

    Following  is  based  on  a  Strategic Reconnisiance Team Security
    Advisory (SRT2001-07).  SCO  OpenServer 5.0.6 ships with  suid bin
    /opt/K/SCO/Unix/5.0.6Ga/usr/lib/lpadmin.     lpadmin   has    poor
    handling of command line arguments resulting in a buffer overflow.
    lpadmin will core dump if fed more than 6476 chars.

        /opt/K/SCO/Unix/5.0.6Ga/usr/lib/lpadmin `perl -e 'print "A" x 7000'`
        Memory fault - core dumped

    This problem makes  it possible to  overwrite memory space  of the
    running process, and potentially  execute code with the  inherited
    privileges of bin.

    Credit goes to Kevin Finisterre.

SOLUTION

    chmod  -s  /opt/K/SCO/Unix/5.0.6Ga/usr/lib/lpadmin  as workaround.

    Patch:

        ftp://ftp.sco.com/SSE/sse072b.tar.Z
        ftp://ftp.sco.com/SSE/sse072b.tar.bz2
        ftp://ftp.sco.com/SSE/sse072b.ltr

    SSE072B supersedes SSE072