Search:

November 2007

3458 - Several IBM AIX security advisories

ID: 3458
Date: 02/11/2007

Title: 3458 - Several IBM AIX security advisories
Platform level affected:Net Application - Server
Hardware components affected:Mainframe
Specific operating systems components affected: Unix
Net-enabled software: Other
Security software:Other
Other software: Other
Remediation Summary:Update your copy of the software with the download available from the supplier.
Vendors affected:IBM
Applications affected:swcons, lqueryvg, lquerypv, ftp, dig, bellmail, crontab
Adversity source: Unknown
Attack Vector: Vulnerability exploitation
Virulence: Unknown
Warning Status: Unknown
Potential Damage: Local execution/modification
Possible Duration: Open Ended
Availability of fix: Available
Type of fix: Patch
Source: iDefense, Inc.
Reliability of source: Known
Source URL: http://labs.idefense.com/intelligence/vulnerabilities
Abstract: Description of a number of IBM AIX vulnerabilities by iDefense, Inc.

IBM AIX swcons Local Arbitrary File Access Vulnerability

iDefense Security Advisory 10.30.07
http://labs.idefense.com/intelligence/vulnerabilities/
Oct 30, 2007

I. BACKGROUND

The swcons program is a set-uid root application which is installed by default on IBM AIX. It allows for console logs to be temporarily logged to a file or device.

II. DESCRIPTION

Local exploitation of a file access vulnerability in the swcons command included in multiple versions of IBM Corp.'s AIX could allow for the creation or modification of arbitrary files anywhere on the system.

The vulnerability specifically exists due to a lack of sanity checking when using the -p option. If a user specifies a file with the -p option, the contents of that file will be overwritten with 65,535 bytes of uncontrolled data. If the file doesn't exist, it will be created. In both cases, the file will also be converted to mode 222, which allows all users on the system to modify it. By specifying a system file, users can cause a denial of service condition or elevate privileges.

III. ANALYSIS

Exploitation allows attackers to execute arbitrary code with root privileges. The severity of this vulnerability is lessened by the fact that under a default configuration, the group id "system" is needed to execute swcons.

IBM originally released an interim fix on February 22nd, 2007. The original fix did prevent attackers from being able to overwrite or change the ownership of existing files, but did not prevent the creation of new files via symlink attacks.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability on IBM AIX version 5.2. It is suspected that previous versions are also vulnerable.

V. WORKAROUND

Only allow trusted users local access to security critical systems.
Limit access to the "system" group. Alternately, remove the set-uid bit from the swcons program.

VI. VENDOR RESPONSE

IBM Corp. has addressed this vulnerability by releasing interim fixes.
More information can be found via the Bulletins tab of IBM's Subscription Service for UNIX and Linux servers. You can reach this service by clicking the URL shown below.

http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=1

VII. CVE INFORMATION

A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned yet.

VIII. DISCLOSURE TIMELINE

12/21/2004 Initial vendor notification
01/07/2005 Initial vendor response
10/30/2007 Coordinated public disclosure

IX. CREDIT

This vulnerability was reported to iDefense by Alex DeLarge.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events http://labs.idefense.com/

X. LEGAL NOTICES

Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

=============================================================================

IBM AIX 5.2 crontab BSS Buffer Overflow Vulnerability

iDefense Security Advisory 10.30.07
http://labs.idefense.com/intelligence/vulnerabilities/
Oct 30, 2007

I. BACKGROUND

The crontab program is a user utility that enables users to create, remove, and edit cron jobs. The cron jobs will then later be executed, on behalf of the user, at the specified time. Under AIX, the crontab program is installed by default and is set-uid root. More information can be found at the URL shown.

http://publib.boulder.ibm.com/infocenter/pseries/v5r3/topic/com.ibm.aix.cmds/doc/aixcmds1/crontab.htm

II. DESCRIPTION

Local exploitation of a buffer overflow vulnerability in the crontab program of IBM Corp.'s AIX 5.2 operating system allows attackers to execute arbitrary code with root privileges.

The problem specifically exists within the main function. While processing command line arguments, the crontab program will copy a user-supplied argument to a fixed size BSS (data segment) buffer. Since no bounds checking is performed, it's possible to overwrite a large portion of the data stored in the BSS memory area.

III. ANALYSIS

Exploitation allows an attacker to execute arbitrary code with root privileges. Local access is required to execute the crontab program.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability within AIX version 5.2. Previous versions are suspected to be vulnerable. AIX 5.3 does not appear to be vulnerable.

V. WORKAROUND

Removing the set-uid bit from the crontab program will protect against exploitation. However, doing so will render the program unusable.

VI. VENDOR RESPONSE

http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=1

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2007-4621 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems.

VIII. DISCLOSURE TIMELINE

08/29/2007 Initial vendor notification
09/12/2007 Initial vendor response
10/30/2007 Coordinated public disclosure

IX. CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events http://labs.idefense.com/

X. LEGAL NOTICES

=============================================================================

IBM AIX dig dns_name_fromtext Integer Underflow Vulnerability

iDefense Security Advisory 10.30.07
http://labs.idefense.com/intelligence/vulnerabilities/
Oct 30, 2007

I. BACKGROUND

dig is a utility that is commonly used for DNS diagnostics. Under AIX 5.2, the dig program is installed by default and is set-uid root. More information can be found at the URL shown.

http://publib.boulder.ibm.com/infocenter/pseries/v5r3/topic/com.ibm.aix.cmds/doc/aixcmds2/dig.htm

II. DESCRIPTION

Local exploitation of an integer underflow vulnerability in the dig program of IBM Corp.'s AIX operating system allows attackers to execute arbitrary code with root privileges.

The problem specifically exists within dns_name_fromtext function within the libdns.a library. This function is called when processing the '-y'
command line parameter to the dig program. By supplying a specially crafted TSIG key parameter, an attacker is able to cause an integer underflow, resulting in potentially exploitable heap corruption.

III. ANALYSIS

Exploitation allows an attacker to execute arbitrary code with root privileges. Local access is required to execute the dig program.

It should be noted that this particular issue is documented within the bind release notes as bug #1211 and #1350. However, this particular vulnerability is specific to AIX 5.2 since it installs the dig program set-uid root.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability within AIX version 5.2. Previous versions are suspected to be vulnerable. AIX 5.3 is not vulnerable since the dig command is no longer installed set-uid root.

V. WORKAROUND

Removing the set-uid bit from the dig program will prevent exploitation.

VI. VENDOR RESPONSE

http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=1

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2007-4622 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems.

VIII. DISCLOSURE TIMELINE

08/30/2007 Initial vendor notification
09/14/2007 Initial vendor response
10/30/2007 Coordinated public disclosure

IX. CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events http://labs.idefense.com/

X. LEGAL NOTICES

=============================================================================

IBM AIX lqueryvg Stack Buffer Overflow Vulnerability

iDefense Security Advisory 10.30.07
http://labs.idefense.com/intelligence/vulnerabilities/
Oct 30, 2007

I. BACKGROUND

The lqueryvg utility is used to examine the properties of disk volume groups. It is installed set-uid root by default on multiple versions of AIX.

II. DESCRIPTION

Local exploitation of a stack buffer overflow vulnerability in IBM Corp.'s AIX operating system may allow an attacker to execute arbitrary code with root privileges.

The vulnerability exists within the parsing of the '-p' command line option. The argument to this option is copied into a fixed size stack buffer using the sprintf() function without properly validating the length. This leads to an exploitable stack buffer overflow.

III. ANALYSIS

Exploitation of this vulnerability results in the execution of arbitrary code with root privileges. The binary may be executed by any user with a local account, no special group membership is needed.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability in AIX version 5.2 and 5.3. Previous versions may also be affected.

V. WORKAROUND

Removing the set-uid bit from the binary will prevent exploitation, but may make the program unusable by non-root users.

VI. VENDOR RESPONSE

http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=1

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2007-4513 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems.

VIII. DISCLOSURE TIMELINE

08/21/2007 Initial vendor notification
08/22/2007 Initial vendor response
10/30/2007 Coordinated public disclosure

IX. CREDIT

This vulnerability was discovered by Sean Larsson of VeriSign iDefense Labs.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events http://labs.idefense.com/

X. LEGAL NOTICES

=============================================================================

IBM AIX lquerypv Stack Buffer Overflow Vulnerability

iDefense Security Advisory 10.30.07
http://labs.idefense.com/intelligence/vulnerabilities/
Oct 30, 2007

I. BACKGROUND

The lquerypv utility is used to examine the properties of a physical volume in a volume group. It is installed set-uid root by default on multiple versions of AIX.

II. DESCRIPTION

Local exploitation of a stack buffer overflow vulnerability in IBM Corp.'s AIX operating system may allow an attacker to execute arbitrary code with root privileges.

The vulnerability exists within the parsing of the '-V' command line option. The argument to this option is copied into a fixed size stack buffer using the sprintf() function without properly validating the length. This leads to an exploitable stack buffer overflow.

III. ANALYSIS

Exploitation of this vulnerability results in the execution of arbitrary code with root privileges. The binary may be executed by any user with a local account, no special group membership is needed.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability in AIX version 5.2 and 5.3. Previous versions may also be affected.

V. WORKAROUND

Removing the set-uid bit from the binary will prevent exploitation, but may make the program unusable by non-root users.

VI. VENDOR RESPONSE

http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=1

VII. CVE INFORMATION

VIII. DISCLOSURE TIMELINE

08/21/2007 Initial vendor notification
08/22/2007 Initial vendor response
10/30/2007 Coordinated public disclosure

IX. CREDIT

This vulnerability was discovered by Sean Larsson of VeriSign iDefense Labs.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events http://labs.idefense.com/

X. LEGAL NOTICES

=============================================================================

IBM AIX ftp domacro Parameter Buffer Overflow Vulnerability

iDefense Security Advisory 10.30.07
http://labs.idefense.com/intelligence/vulnerabilities/
Oct 30, 2007

I. BACKGROUND

The ftp program is a client application for accessing data stored on FTP servers. This client is responsible for interfacing with users and speaking the FTP protocol with remote servers. Under AIX, the ftp program is installed by default and is set-uid root. More information can be found at the URL shown below.

http://publib.boulder.ibm.com/infocenter/pseries/v5r3/topic/com.ibm.aix.cmds/doc/aixcmds2/ftp.htm

II. DESCRIPTION

Local exploitation of a buffer overflow vulnerability in the ftp client of IBM Corp.'s AIX operating system allows attackers to execute arbitrary code with root privileges.

The problem specifically exists within the domacro() function. This function is called when executing a macro via the '$' command within the ftp program. When executing a macro, the parameter is copied to a fixed size stack buffer using an unbounded call to strcpy(). By specifying a long argument, an attacker is able to overwrite program control data located on the stack and take control of the affected process.

III. ANALYSIS

Exploitation allows an attacker to execute arbitrary code with root privileges. Local access is required to execute and interact with the ftp program.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability in AIX version 5.3 (5300-06). Previous versions are suspected to be vulnerable.

V. WORKAROUND

Removing the set-uid bit from the ftp program will protect against exploitation. However, doing so will render the program unusable.

VI. VENDOR RESPONSE

http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=1

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2007-4217 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems.

VIII. DISCLOSURE TIMELINE

08/15/2007 Initial vendor notification
08/15/2007 Initial vendor response
10/30/2007 Coordinated public disclosure

IX. CREDIT

This vulnerability was discovered by Joshua J. Drake of VeriSign iDefense Labs.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events http://labs.idefense.com/

X. LEGAL NOTICES

=============================================================================

IBM AIX bellmail Stack Buffer Overflow Vulnerability

iDefense Security Advisory 10.30.07
http://labs.idefense.com/intelligence/vulnerabilities/
Oct 30, 2007

I. BACKGROUND

bellmail is a mail user-agent (MUA) and is commonly used for accessing locally stored electronic mail messages. Under AIX, the bellmail program is installed by default and is set-uid root. More information can be found at the URL shown.

http://publib.boulder.ibm.com/infocenter/pseries/v5r3/topic/com.ibm.aix.commadmn/doc/commadmndita/mail_bellmail.htm

II. DESCRIPTION

Local exploitation of a buffer overflow vulnerability in the bellmail program of IBM Corp.'s AIX operating system allows attackers to execute arbitrary code with root privileges.

The problem specifically exists within sendrmt function. This function is called when a user tries to send mail using the "m" command. Within this function, several sprintf calls are made to concatenate user-supplied input with static strings. No bounds checking is performed to ensure that the resulting string will fit in the destination buffer located on the stack. By supplying a long parameter, an attacker is able to overwrite program control data located on the stack and take control of the affected process.

III. ANALYSIS

Exploitation allows an attacker to execute arbitrary code with root privileges. Local access is required to execute and interact with the bellmail program.

It should be noted that the bellmail program does initially set its user (both saved and effective) to that of the calling user. Generally, it would be sufficient to drop these privileges. However, in this case, the bellmail program uses the AIX-specific setpriv functionality to retain the ability chown arbitrary files on the system.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability within AIX version 5.3 (5300-06) and 5.2. Previous versions are suspected to be vulnerable.

V. WORKAROUND

Removing the set-uid bit from the bellmail program will protect against exploitation. However, doing so will render the program unusable.

VI. VENDOR RESPONSE

http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=1

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2007-4623 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems.

VIII. DISCLOSURE TIMELINE

08/28/2007 Initial vendor notification
08/28/2007 Initial vendor response
10/30/2007 Coordinated public disclosure

IX. CREDIT

This vulnerability was discovered by Joshua J. Drake of VeriSign iDefense Labs.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events http://labs.idefense.com/

X. LEGAL NOTICES

This advisory contains information released by the original author. Some of the information may have changed since it was released. If the issue affects you, it may be prudent to retrieve the advisory from the site of the original source to ensure that you receive the most current information concerning that problem. Reference to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by CPNI.

The views and opinions of authors expressed within this notice shall not be used for advertising or product endorsement purposes. CPNI shall not accept responsibility for any errors or omissions contained within this advisory. In particular, they shall not be liable for any loss or damage whatsoever, arising from or in connection with the usage of information contained within this advisory.

CSIRTUK is a member of the Forum of Incident Response and Security Teams (FIRST) and has contacts with other international Incident Response Teams (IRTs) in order to foster cooperation and coordination in incident prevention, to prompt rapid reaction to incidents, and to promote information sharing amongst its members and the community at large.