Title: CrossWind CyberScheduler websyncd remote Buffer Overflow Vulnerability
Severity: HIGH
Description:
CrossWind CyberScheduler is a team-oriented scheduling and calendaring package designed for use in corporate intranets. It consists of two distinct parts for - a set of cgi scripts on a web server and a set of daemons (or services) on a database server. Both parts of CyberScheduler are available for Windows NT, Linux and a range of UNIX platforms including Solaris.
One of the CyberScheduler daemons 'websyncd' (websyncd.exe on Windows NT) contains an exploitable buffer overflow in its timezone string parser. A timezone string is passed to websyncd by the websync.cgi cgi program (websync.exe on NT) through the tzs form variable.
262 bytes are reserved on the stack for the timezone string in websyncd, but no bounds checking is performed in either websync.cgi or websync. Therefore a stack overflow can occur in websyncd if a long string is specified in the tzs variable in a request to websync.cgi.
Because websyncd runs as root [1], a stack overflow allows arbitrary code execution as root.
Additionally, because the overflow occurs before any logon credentials are verified by websync.cgi, unprivileged remote users can exploit this vulnerability.
[1] The install scripts included with CyberScheduler appear to start websyncd as root, but it is unclear whether websyncd needs to run as root.
Affected Products:
- CrossWind CyberScheduler 2.1.0
References:
- CrossWind: CyberScheduler Data Sheet
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
