26th Sep 2002 [SBWID-5315]
COMMAND
	Solaris admintool local buffer overflow
SYSTEMS AFFECTED
	Solaris 2.5, 2.5.1, 2.6, 7, 8 SPARC and x86
PROBLEM
	In     Kevin     Kotas     of     the      eSecurityOnline      Research
	[http://www.eSecurityOnline.com] advisory [ID:eSO:2397] :
	--snipp--
	An attacker can use a carefully constructed string with the  -d  command
	line option or with the PRODVERS  .cdtoc  file  variable  to  gain  root
	privileges.
	The first buffer overflow  is  related  to  command  line  execution  of
	admintool  with  the  -d  switch,  when  a  long  string  is  used  with
	"/Solaris" present.
	The second buffer overflow occurs due to a lack of bounds  checking  for
	the PRODVERS argument in the .cdtoc file. The .cdtoc  file  is  used  to
	specify variables for installation media. Through the  software/edit/add
	feature, a local directory can  be  specified  that  contains  a  .cdtoc
	file. The file can contain a string of data for  the  PRODVERS  variable
	that will cause the program to crash or execute code when processed.
	--snapp--
SOLUTION
	As a  workaround  solution,  remove  the  setuid  permissions  with  the
	following:
	
	chmod -s /usr/bin/admintool
	
	Apply the following patches.
	
	Solaris 2.5: 103247-16
	Solaris 2.5_x86: 103245-16
	Solaris 2.5.1: 103558-16
	Solaris 2.5.1_x86: 103559-16
	Solaris 2.6: 105800-07
	Solaris 2.6_x86: 105801-07
	Solaris 7: 108721-02
	Solaris 7_x86: 108722-02
	Solaris 8: 10453-01
	Solaris 8_x86: 110454-01