Signature Detail

APP: Netscape Fastrack scohelp Buffer Overflow

This signature detects attempts to exploit a known vulnerability against SCO Unixware's Netscape Fasttrack scohelp httpd service. An attacker can supply an overly long URL to potentially gain command-line access as the user running the service, to the victim host. A successful attack can cause a buffer overflow condition. This is known to affect scohelp 2.01a running on SCO Unixware 7.1.

Extended Description

SCO Unixware 7 default installation includes scohelp, an http server that listens on port 457/tcp and allows access to manual pages and other documentation files. The search CGI script provided for that purpose has a vulnerability that could allow any remote attacker to execute arbitrary code on the vulnerable machine with privileges of user "nobody". This poses a threat that could result in the remote compromise of the vulnerable host and provide a staging point from where an attacker could escalate privileges.

Affected Products

• SCO Unixware 7.0.0

References

• BugTraq: 1717
• CVE: CVE-2000-1014
• URL: http://www.pestpatrol.com/pestinfo/u/unixware_scohelp_http_server_format_string_vulnerability.asp
• URL: http://www2.corest.com/common/showdoc.php?idx=126&idxseccion=10
• URL: http://www.securiteam.com/unixfocus/6Q00S0K06U.html