Vulnerabilities > CVE-2002-0158 - Heap Overflow vulnerability in Sun Solaris XSun Color Database File

047910
CVSS 7.2 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
local
low complexity
sun
nessus
exploit available
NVD
Published: 2002-04-02
Updated: 2018-10-30

Summary

Buffer overflow in Xsun on Solaris 2.6 through 8 allows local users to gain root privileges via a long -co (color database) command line argument.

Vulnerable Configurations

Part Description Count
OS
Sun
6

Exploit-Db

descriptionSun Solaris 2.6/7.0/8 XSun Color Database File Heap Overflow Vulnerability. CVE-2002-0158. Local exploit for solaris platform
idEDB-ID:21360
last seen2016-02-02
modified2002-04-02
published2002-04-02
reportergloomy
sourcehttps://www.exploit-db.com/download/21360/
titleSun Solaris 2.6/7.0/8 XSun Color Database File Heap Overflow Vulnerability

Nessus

NASL familyMisc.
NASL idOPENSERVER_OVERFLOWS.NASL
descriptionAccording to its telnet banner, the remote host is a SCO Unix server running OpenServer version 5.0.5, 5.0.6, or 5.0.7. Such versions are vulnerable to two distinct exploits. Namely, - Xsco can be locally exploited by any valid user in order to escalate their privileges to
last seen2020-06-01
modified2020-06-02
plugin id11895
published2003-10-16
reporterThis script is Copyright (C) 2003-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/11895
titleSCO OpenServer Multiple Local Privilege Escalation Vulnerabilities
code
#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");

if(description) {
 script_id(11895);
 script_version ("1.21");
 script_cve_id("CVE-2002-0158", "CVE-2002-0164");
 script_bugtraq_id(4396, 4985);

 script_name(english:"SCO OpenServer Multiple Local Privilege Escalation Vulnerabilities");

 script_set_attribute(attribute:"synopsis", value:
"The remote server is affected by multiple local privilege escalation
vulnerabilities." );
 script_set_attribute(attribute:"description", value:
"According to its telnet banner, the remote host is a SCO Unix server
running OpenServer version 5.0.5, 5.0.6, or 5.0.7.  Such versions are
vulnerable to two distinct exploits.  Namely,

  - Xsco can be locally exploited by any valid user in
    order to escalate their privileges to 'root'.  The bug 
    is due to improper input handling when running the 
    command line switch '-co'.

  - There is a vulnerability in the MIT-SHM extension within
    all X servers that are running as root.  Any user with 
    local X access can exploit the MIT-SHM extension and 
    gain read/write access to any shared memory segment on 
    the system." );
 script_set_attribute(attribute:"see_also", value:"https://marc.info/?l=bugtraq&m=101776858410652&w=2" );
 script_set_attribute(attribute:"see_also", value:"https://marc.info/?l=bugtraq&m=103547625009363&w=2" );
 script_set_attribute(attribute:"see_also", value:"ftp://ftp.sco.com/pub/updates/OpenServer/CSSA-2003-SCO.26" );
 script_set_attribute(attribute:"solution", value:
"Install the patched binaries referenced in the vendor's advisory." );
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"plugin_publication_date", value: "2003/10/16");
 script_set_attribute(attribute:"vuln_publication_date", value: "2002/03/15");
 script_cvs_date("Date: 2018/11/15 20:50:23");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();


 script_summary(english:"Checks the remote SCO OpenServer");
 script_category(ACT_GATHER_INFO);
 script_copyright(english:"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc.");
 script_family(english:"Misc.");
 script_dependencie("find_service1.nasl");
 script_require_ports("Services/telnet", 23);
 exit(0);
}




# start script

# kind of a hokey way to find the bug...but, both bugs are local...

include ("telnet_func.inc");

port = get_kb_item("Services/telnet");
if (!port) port=23;
r = get_telnet_banner(port:port); 
if (egrep(pattern:".*SCO OpenServer\(TM\) Release.*5\.0\.[5-7].*", string:r)) security_hole(0);

Oval

  • accepted2016-02-08T10:00:00.000-05:00
    classvulnerability
    contributors
    nameDavid Proulx
    organizationThe MITRE Corporation
    descriptionBuffer overflow in Xsun on Solaris 2.6 through 8 allows local users to gain root privileges via a long -co (color database) command line argument.
    familyunix
    idoval:org.mitre.oval:def:14
    statusaccepted
    submitted2002-08-23T12:00:00.000-04:00
    titleSun Solaris 8 XSun Color Database File Heap Overflow
    version35
  • accepted2016-02-08T10:00:00.000-05:00
    classvulnerability
    contributors
    nameDavid Proulx
    organizationThe MITRE Corporation
    descriptionBuffer overflow in Xsun on Solaris 2.6 through 8 allows local users to gain root privileges via a long -co (color database) command line argument.
    familyunix
    idoval:org.mitre.oval:def:33
    statusaccepted
    submitted2002-10-17T12:00:00.000-04:00
    titleSun Solaris 7 XSun Color Database File Heap Overflow
    version35

References