• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: CDE DTTerm Terminal Name Buffer Overflow Vulnerability

Severity: HIGH

Description:

CDE is the Common Desktop Environment, an implementation of a Desktop Manager for systems that run X. It is distributed with various commercial UNIX implementations.

A problem has been discovered in a program packaged with CDE that could allow a local user to gain elevated privileges. The problem is in dtterm.

dtterm is a CDE terminal program that ships with commercial unix systems. The version of dtterm that ships with some commercial UNIX Operating Systems is vulnerable to a locally exploitable buffer overflow condition.

The argument to the -tn option (used to specify a terminal name), passed to the program at the command line, is copied onto the stack blindly without being checked for size. If the argument is large enough, it can overwrite vital stack variables when it is written to the stack, altering the program's flow of execution. If this argument is intentionally constructed with the right data at the right locations, it can result in the program executing arbitrary commands supplied by the user with the privileges of the running process.

This can result in a local user gaining administrative access on vulnerable systems.

Affected Products:

• HP HP-UX (VVOS) 10.24.0
• HP HP-UX 10.10.0
• HP HP-UX 10.20.0
• HP HP-UX 11.0.0
• HP HP-UX 11.0.0 4
• SGI IRIX 6.5.0
• SGI IRIX 6.5.1
• SGI IRIX 6.5.10
• SGI IRIX 6.5.10f
• SGI IRIX 6.5.10m
• SGI IRIX 6.5.11
• SGI IRIX 6.5.11f
• SGI IRIX 6.5.11m
• SGI IRIX 6.5.12
• SGI IRIX 6.5.12 f
• SGI IRIX 6.5.12 m
• SGI IRIX 6.5.13
• SGI IRIX 6.5.13 f
• SGI IRIX 6.5.13 m
• SGI IRIX 6.5.14
• SGI IRIX 6.5.2
• SGI IRIX 6.5.2f
• SGI IRIX 6.5.2m
• SGI IRIX 6.5.3
• SGI IRIX 6.5.3f
• SGI IRIX 6.5.3m
• SGI IRIX 6.5.4
• SGI IRIX 6.5.4f
• SGI IRIX 6.5.4m
• SGI IRIX 6.5.5
• SGI IRIX 6.5.5f
• SGI IRIX 6.5.5m
• SGI IRIX 6.5.6
• SGI IRIX 6.5.6f
• SGI IRIX 6.5.6m
• SGI IRIX 6.5.7
• SGI IRIX 6.5.7f
• SGI IRIX 6.5.7m
• SGI IRIX 6.5.8
• SGI IRIX 6.5.8f
• SGI IRIX 6.5.8m
• SGI IRIX 6.5.9
• SGI IRIX 6.5.9f
• SGI IRIX 6.5.9m

References:

• Hewlett Packard: HP Support

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.