Skip Navigation

  • Home
  • Contact us
  • FAQ
  • Glossary
  • Public key
  • Sitemap
  • Cymraeg
  • What's new
CPNI - Centre for the Protection of National Infastructure

Advanced search

  • About CPNI
  • The threats
  • Security planning
  • Methods of attack
  • Protecting your assets
  • Products and services
    • CSIRTUK advisories
      • Advisories archive
    • General protective security publications
    • InfoSec briefings
    • InfoSec technical notes
    • InfoSec vulnerability disclosures
    • Good practice guidelines
    • Viewpoints
    • Information exchanges
    • Risk Management Delivery Group
  • Research
Home > Products and services > CSIRTUK advisories > Advisories archive > February 2005 > iDEFENSE Security Advisory 02.08.05 - IBM AIX auditselect Local Format String Vulnerability

February 2005

iDEFENSE Security Advisory 02.08.05 - IBM AIX auditselect Local Format String Vulnerability

ID: 00117
Ref: 101/2005
Date: 09 February 2005:15:07:07
Version: 1
Title: iDEFENSE Security Advisory 02.08.05 - IBM AIX auditselect Local Format String Vulnerability
Abstract: Local exploitation of a format string vulnerability in the auditselect command included by default in multiple versions of IBM Corp.'s AIX operating system could allow for arbitrary code execution as the root user.
Vendors affected: iDEFENSE
Operating systems affected: iDEFENSE
Applications affected: iDEFENSE
Title
=====

iDEFENSE Security Advisory 02.08.05 - IBM AIX auditselect Local Format
String Vulnerability

Detail
======

Local exploitation of a format string vulnerability in the auditselect
command included by default in multiple versions of IBM Corp.'s AIX
operating system could allow for arbitrary code execution as the root
user.



- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================

ESB-2005.0124 -- iDEFENSE Security Advisory 02.08.05
IBM AIX auditselect Local Format String Vulnerability
9 February 2005

===========================================================================



Publisher: iDEFENSE
Operating System: AIX
Impact: Root Compromise
Execute Arbitrary Code/Commands
Access: Existing Account

Original Bulletin: http://www.idefense.com/application/poi/display?id=193

- - --------------------------BEGIN INCLUDED TEXT--------------------

IBM AIX auditselect Local Format String Vulnerability

iDEFENSE Security Advisory 02.08.05
www.idefense.com/application/poi/display?id=193&type=vulnerabilities
February 08, 2005

I. BACKGROUND

The auditselect program is a setuid root application, installed by
default under multiple versions of IBM AIX, that selects audit records
for analysis according to defined criteria.

II. DESCRIPTION

Local exploitation of a format string vulnerability in the auditselect
command included by default in multiple versions of IBM Corp.'s AIX
operating system could allow for arbitrary code execution as the root
user.

The vulnerability specifically exists due to an improperly used
formatted printing function. When provided with an incorrect argument
(argv[1]) that contains a format string, the format string will be fed
into a formatted printing function, and the user supplied format string
will be evaluated, allowing for a malicious user to examine stack memory
and write to arbitrary memory locations. With a properly crafted string,
this can lead to the execution of arbitrary code.

III. ANALYSIS

This vulnerability can only be exploited by a local user who has been
granted access to the "audit" group. Successful exploitation leads to
root-level access.

Due to the nature of the vulnerability, information leakage is trivial
and aids the attacker in exploitation.

IV. DETECTION

iDEFENSE has confirmed the existence of this vulnerability in IBM AIX
version 5.2. It is suspected that previous versions are also vulnerable.

IBM has reported that AIX 5.3 is also vulnerable.

V. WORKAROUND

Only allow trusted users local access to security critical systems. Only

allow trusted system administrators access to the "audit" group.
Alternately, remove the setuid bit from auditselect using chmod u-s
/usr/sbin/auditselect.

VI. VENDOR RESPONSE

The vendor has not released a patch for this issue, however, the following
details have been published:

http://www-1.ibm.com/support/docview.wss?uid=isg1IY67519

VII. CVE INFORMATION

A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not
been assigned yet.

VIII. DISCLOSURE TIMELINE

12/21/2004 Initial vendor notification
01/07/2005 Initial vendor response
02/08/2005 Public disclosure

IX. CREDIT

iDEFENSE Labs is credited with this discovery.

Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp

X. LEGAL NOTICES

Copyright (c) 2005 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert electronically.
It may not be edited in any way without the express written consent of
iDEFENSE. If you wish to reprint the whole or any part of this alert in
any other medium other than electronically, please email
customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.

- - --------------------------END INCLUDED TEXT--------------------


iQCVAwUBQgmEnyh9+71yA2DNAQKLvwP7BcmR9QZkgFYWs7/pw3YYgG8wLtGc1bGY
ap9E7kw62ILIB5j31hnvZtatNCz5GBqgJ304j5ZWYEkPioxjlzuqhyEcRpyAIZpk
qTdse8c+jrhM3OQ3iuhX1BwCcg7HhmfwAF4CyOO7PLrZ+f3oVv+1Uog3uB9jViqU
I7MkHp3uwik=
=9vXv
- -----END PGP SIGNATURE-----
  • Accessibility |
  • Terms and conditions |
  • Privacy statement |
  • Data protection act |
  • Freedom of information |