{"vuid":"VU#351219","idnumber":"351219","name":"Sun Solaris ptexec does not adequately validate argument passed via -o option","keywords":["Sun Solaris","ptexec","-o","user input","400 characters","setuid root","VU#351219"],"overview":"The Sun Solaris ptexec command is subject to a buffer overflow due to not adequately validating arguments passed via the -o option.","clean_desc":"A locally exploitable buffer overflow exists in the ptexec command which is included in the SUNWvts package. This package is not included in the typical default installation of Solaris. If this package is installed, it is typically installed setuid root by default. If this vulnerability is exploited by an intruder, it would allow for the execution of arbitrary code on the victim host. Due to insufficient handling of input by the -o option of the ptexec command, a buffer overflow will occur when 400 or more characters are given as input to this command. Because of this, an intruder can overwrite the memory space of the running process.","impact":"A local user can execute arbitrary code with root privileges.","resolution":"Either apply a patch (when available), or upgrade to a later release of SunVTS (4.3 or later).","workarounds":"","sysaffected":"","thanks":"This vulnerability was discovered by Pablo Sor <psor@afip.gov.ar> and was reported to the \nBugtraq mailing list on June 21, 2001. The CERT/CC thanks Sun Microsystems for their cooperation in the production of this document.","author":"This document was written by Ian A. Finlay","public":["http://www.securityfocus.com/bid/2898","http://www.sun.com/oem/products/vts/","http://www.securityfocus.com/archive/1/192667"],"cveids":["CVE-2001-0701"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2001-06-22T18:46:31Z","publicdate":"2001-06-21T00:00:00Z","datefirstpublished":"2002-08-28T17:24:40Z","dateupdated":"2002-08-28T17:25:01Z","revision":57,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"20","cam_exploitation":"10","cam_internetinfrastructure":"5","cam_population":"5","cam_impact":"20","cam_easeofexploitation":"20","cam_attackeraccessrequired":"10","cam_scorecurrent":"13.125","cam_scorecurrentwidelyknown":"13.125","cam_scorecurrentwidelyknownexploited":"16.875","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":13.125,"vulnote":null}