CVE-1999-1571

Vulnerability

A buffer overflow exists in the sar utility on SCO OpenServer versions 5.0.0 through 5.0.5. The vulnerability is triggered by supplying an overly long argument to the -f parameter. This is distinct from another overflow in the -o parameter (CVE-1999-1570). Affected versions include all releases from 5.0.0 up to and including 5.0.5 [1].

Exploitation

An attacker must have local access to the system and be able to execute the sar binary, which is setuid root. By passing a specially crafted long string to the -f option, the attacker can overflow a buffer. For example, using a string of 2104 'A' characters causes a crash; 2105 characters triggers a segmentation fault and overwrites the instruction pointer with 0x41414141, indicating control of the return address [1].

Impact

Successful exploitation allows a local unprivileged user to execute arbitrary code with root privileges, because sar runs with setuid root. This results in complete compromise of the affected system [1][2].

Mitigation

SCO released an interim patch in the form of System Security Enhancement (SSE) package SSE037. The package provides replacement binaries for OpenServer versions 5.0.0 through 5.0.5 and was available for download from SCO's FTP server at ftp://ftp.sco.COM/SSE/sse037.tar.Z [2]. No workaround is documented; applying the patch is the recommended solution. The affected versions have long reached end-of-life, and no further updates are available.