COMMAND

    libauth

SYSTEMS AFFECTED

    Solaris 2.2, 2.3, 2.4, 2.5, 2.5.1, 2.6

PROBLEM

    Following is based on RSI Alert Advisory and it was found by  Matt
    Conover.  Two buffer overflows exist in Sun Microsystem's  libauth
    library.  When  ia_open_session () is  called, it copies  both the
    connecting hostname and username into seperate local buffers  with
    no  bounds  checking.   ia_open_session  ()  attempts to write the
    information  passed  to  it  into  these buffers to maintain utmpx
    information on the  user logging into  the system.   Because these
    buffers are set at a fixed  value of 257 bytes, it is  possible to
    cause  a  buffer  overflow.   While  overwriting  the  buffer, the
    attacker can manipulate the stack and execute their own  commands,
    possibly gaining root access on the system.

    Functions RSI have found vulnerable:

        ia_open_session ()      : Copies information passed to it
                                  into two local buffers which can
                                  result in a buffer overflow.

    Potentially vulnerable programs:

        1. login
        2. in.ftpd
        3. in.uucpd
        4. rpc.rexd

SOLUTION

    No fixes are currently available.