-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Roman Medina-Heigl Hernandez escribió: >>> Product Name : dtmail >>> Product Version : 5.1b >>> Vendor Name : Hewlet Packard >>> Criticality : Local Root Compromise >>> Effort : Easy >>> Operating System : Tru64 >>> Type : Unchecked Buffer > > Hello, > > I've just installed vulnerable package in my test-bed: > > # uname -a > OSF1 alpha V5.1 2650 alpha > # pwd > /mnt/ALPHA/BASE > # setld -l . OSFCDEMAIL540 > # ls -l /usr/dt/bin/dtmail > -r-xr-sr-x 1 bin mail 1212752 Oct 17 2002 /usr/dt/bin/dtmail > # > > How is this a local root? (binary is setgid "mail" but not setuid "root")
Confirmed by HP: *NOT* a local root. "The vulnerability could be exploited by a local, authorized user to execute arbitrary code as a member of the 'mail' group." http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c00793805&jumpid=reg_R1002_USEN Interesting enough to note that the bug is also present in HPUX (same scope, again not a local root). Netragard ppl should fix their advisory and web site... - -- Saludos, - -Roman PGP Fingerprint: 09BB EFCD 21ED 4E79 25FB 29E1 E47F 8A7D EAD5 6742 [Key ID: 0xEAD56742. Available at KeyServ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (MingW32) iD8DBQFFOQiL5H+KferVZ0IRAhsoAJ9RGDnKl+bfj4sKipKyl6i8KBVDQwCePbrR OPOjUt/j090/ZelHuzJZuBk= =BZop -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
