{"vuid":"VU#928598","idnumber":"928598","name":"Sun Solaris dtmail contains a format string vulnerability","keywords":["Sun","Solaris","CDE Mailer","dtmail","dtmail(1X)","format string","Group ID","GID","privilege escalation","/var/mail"],"overview":"A vulnerability in the way dtmail handles command-line arguments could allow an attacker to execute arbitrary code.","clean_desc":"The dtmail program is a mail user agent (MUA) for the Common Desktop Environment (CDE). It provides a graphical user interface for reading, sending, and managing email. There is a vulnerability in the way Sun Solaris dtmail handles command-line arguments. By supplying a specially crafted argv[0] value containing a format string specifier, a local user could execute arbitrary code with privileges of the vulnerable process.","impact":"A local user could execute arbitrary code with privileges of the vulnerable process, typically group mail. With these privileges, the user would have the ability to read, modify, and delete email of other users.","resolution":"Apply patch Sun has issued an advisory which addresses this issue. For more information on patches available for your system, please refer to Sun Security Alert 57627.","workarounds":"Remove set-group-ID bit Remove the the \"set-group-ID\" bit from dtmail by doing the following: chmod 0555 /usr/dt/bin/dtmail Note: This may cause users to be unable to read NFS mounted mailboxes.","sysaffected":"","thanks":"This vulnerability was reported by iDEFENSE Labs.","author":"This document was written by Damon Morda.","public":["http://www.idefense.com/application/poi/display?id=132&type=vulnerabilities","http://www.sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/57627","http://secunia.com/advisories/12363/","http://secunia.com/product/4615/","http://www.ciac.org/ciac/bulletins/o-202.shtml"],"cveids":["CVE-2004-0800"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2004-08-25T12:46:24Z","publicdate":"2004-08-23T00:00:00Z","datefirstpublished":"2004-08-25T18:26:18Z","dateupdated":"2005-05-16T15:00:22Z","revision":20,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"15","cam_exploitation":"0","cam_internetinfrastructure":"7","cam_population":"15","cam_impact":"13","cam_easeofexploitation":"7","cam_attackeraccessrequired":"10","cam_scorecurrent":"5.630625","cam_scorecurrentwidelyknown":"6.9103125","cam_scorecurrentwidelyknownexploited":"12.0290625","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":5.630625,"vulnote":null}