{"vuid":"VU#322540","idnumber":"322540","name":"HP-UX \"rexec\" command vulnerable to buffer overflow when supplied overly long command line argument to \"-l\" option","keywords":["HP-UX","rexec command","buffer overflow","long string of characters","-l option"],"overview":"A buffer overflow vulnerability in the rexec program supplied in some versions of the HP-UX operating system could allow local users to gain privileged access.","clean_desc":"The rexec program allows local users to execute commands on remote servers. rexec calls the rexec subroutine to act as a client for the remote host's rexecd server. The rexec program includes a \"-l\" command-line option that allows an alternate login name to be specified on the remote host. The rexec program supplied with some versions of the HP-UX operating systems contains a buffer overflow in the handling of the username argument passed to the \"-l\" option. An overly long username causes the rexec program to segmentation fault and could allow a local attacker to execute commands of their choosing on the local system. Since the rexec program is normally setuid to root, these commands would be executed with root privileges.","impact":"On systems running vulnerable versions of HP-UX where the rexec program is setuid to user root, local users may be able to execute code as root,thereby compromising the system.","resolution":"Hewlett-Packard has released software patches and workaround information for this vulnerability. Please see the vendor information section of this document for more details.","workarounds":"Workarounds Sites may wish to consider removing the setuid permissions from the rexec client program on systems that do not require its use.","sysaffected":"","thanks":"Thanks to Davide Del Vecchio for reporting this vulnerability.","author":"This document was written by Chad R Dougherty.","public":["h","t","t","p",":","/","/","w","w","w",".","s","e","c","u","r","i","t","y","f","o","c","u","s",".","c","o","m","/","b","i","d","/","7","4","5","9"],"cveids":[""],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2003-04-29T20:20:18Z","publicdate":"2003-04-29T00:00:00Z","datefirstpublished":"2003-05-28T20:39:47Z","dateupdated":"2003-07-25T19:58:03Z","revision":13,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"15","cam_exploitation":"0","cam_internetinfrastructure":"3","cam_population":"15","cam_impact":"19","cam_easeofexploitation":"15","cam_attackeraccessrequired":"10","cam_scorecurrent":"14.428125","cam_scorecurrentwidelyknown":"18.4359375","cam_scorecurrentwidelyknownexploited":"34.4671875","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":14.428125,"vulnote":null}