Bugtraq mailing list archives
AIX Security APARs
From: aleph1 () DFW NET (Aleph One)
Date: Mon, 2 Jun 1997 11:30:24 -0500
Date: Mon, 2 Jun 1997 04:58:50 -0500 From: AIX Service Mail Server <aixserv () synergy austin ibm com> Subject: Security This file contains summary information on AIX security alerts published by the Computer Emergency Response Team (CERT), and the IBM Emergency Response Team (ERS). The full text of these alerts can be obtained from this mail server by requesting the 'CERT' and 'ERS' files. This information (and more) is available from CERT and ERS directly on the world-wide web at the following URLs: CERT: http://www.cert.org/ ERS: http://www.ers.ibm.com/ The fixes mentioned in this document are available from FixDist. Information on obtaining and using FixDist is available by requesting the 'FixDist' document from this mail server, or at the following URL on the world-wide web: http://service.software.ibm.com/aix.us/fixes The 'Security_APARs' document on this mail server contains a list of security related APARs for which fixes are available as of April 1997. =============================================================================== =============================================================================== Topic: lquerylv buffer overflow 1. Description A buffer overflow exploit in the lquerylv command has been made public. 2. Fixes AIX 3.2: APAR IX66230 (PTF U447739) AIX 4.1: APAR IX66231 AIX 4.2: APAR IX66232 =============================================================================== =============================================================================== CERT* Advisory CA-97.16 Original issue date: May 29, 1997 Last revised: --- Topic: ftpd Signal Handling Vulnerability ----------------------------------------------------------------------------- 1. Description AUSCERT has received information concerning a vulnerability in some vendor and third party versions of the Internet File Transfer Protocol server, ftpd(8). This vulnerability is caused by a signal handling routine increasing process privileges to root, while still continuing to catch other signals. This introduces a race condition which may allow regular, as well as anonymous ftp, users to access files with root privileges. Depending on the configuration of the ftpd server, this may allow intruders to read or write to arbitrary files on the server. This attack requires an intruder to be able to make a network connection to a vulnerable ftpd server. Sites should be aware that the ftp services are often installed by default. Sites can check whether they are allowing ftp services by checking, for example, /etc/inetd.conf: # grep -i '^ftp' /etc/inetd.conf Note that on some systems the inetd configuration file may have a different name or be in a different location. Please consult your documentation if the configuration file is not found in /etc/inetd.conf. If your site is offering ftp services, you may be able to determine the version of ftpd by checking the notice when first connecting. The vulnerability status of specific vendor and third party ftpd servers can be found in Section 3. Information involving this vulnerability has been made publicly available. 2. Impact Regular and anonymous users may be able to access arbitrary files with root privileges. Depending on the configuration, this may allow anonymous, as well as regular, users to read or write to arbitrary files on the server with root privileges. 3. Workarounds/Solution The version of ftpd shipped with AIX is vulnerable to the conditions described in the advisory. The following APARs will be available shortly: AIX 3.2: APAR IX65536 AIX 4.1: APAR IX65537 AIX 4.2: APAR IX65538 =============================================================================== =============================================================================== CERT* Advisory CA-97.13 Original issue date: May 7, 1997 Last revised: -- Topic: Vulnerability in xlock ----------------------------------------------------------------------------- I. Description xlock is a program that allows a user to "lock" an X terminal. A buffer overflow condition exists in some implementations of xlock. It is possible attain unauthorized access to a system by engineering a particular environment and calling a vulnerable version of xlock that has setuid or setgid bits set. Information about vulnerable versions must be obtained from vendors. Some vendor information can be found in Appendix A of this advisory. Exploitation information involving this vulnerability has been made publicly available. II. Fixes AIX 3.2: APAR IX68189 AIX 4.1: APAR IX68190 AIX 4.2: APAR IX68191 =============================================================================== =============================================================================== CERT* Advisory CA-97.11 Original issue date: May 1, 1997 Last revised: -- Topic: Vulnerability in libXt ----------------------------------------------------------------------------- I. Description There have been discussions on public mailing lists about buffer overflows in the Xt library of the X Windowing System made freely available by The Open Group (and previously by the now-defunct X Consortium). During these discussions, exploitation scripts were made available for some platforms.** The specific problem outlined in those discussions was a buffer overflow condition in the Xt library and the file xc/lib/Xt/Error.c. It was possible for a user to execute arbitrary instructions as a privileged user using a program built by this distribution with setuid or setgid bits set. Note that in this case a root compromise was only possible when programs built from this distribution (e.g., xterm) were setuid root. II. Impact Platforms that have X applications built with the setuid or setgid bits set may be vulnerable to buffer overflow conditions. These conditions can make it possible for a local user to execute arbitrary instructions as a privileged user without authorization. Access to an account on the system is necessary for exploitation. III. Fixes AIX 3.2: APARs IX61784 IX67047 IX66713 (PTFs U445908 U447740) AIX 4.1: APARs IX61031 IX66736 IX66449 AIX 4.2: APARs IX66824 IX66352 =============================================================================== =============================================================================== VULNERABILITY: Buffer overflows in NLS environment variables PLATFORMS: IBM AIX(r) 3.2.x, 4.1.x, 4.2.x SOLUTION: Apply the fixes described below. THREAT: If exploited, this condition may permit unauthorized super-user access to the system ------------------------------------------------------------------------------- I. Description There are buffer overflows in the way that AIX handles certain NLS environment variables. II. Impact Unprivileged users may gain root access. An exploit has been published detailing this vulnerability. III. Fixes AIX 3.2: APAR IX67405 (PTFs U447656 U447671 U447676 U447682 U447705 U447723) AIX 4.1: APAR IX67407 AIX 4.2: APAR IX67377 --------------- A temporary patch is available via anonymous ftp from: ftp://testcase.software.ibm.com/aix/fromibm/README.NLS_security_fix ftp://testcase.software.ibm.com/aix/fromibm/NLS_security_fix.42.tar ftp://testcase.software.ibm.com/aix/fromibm/NLS_security_fix.41.tar ftp://testcase.software.ibm.com/aix/fromibm/NLS_security_fix.32.tar MD5 checksums: MD5 (NLS_security_fix.32.tar) = 8382b9907e1c52ba01bb0d54a6398e09 MD5 (NLS_security_fix.41.tar) = 2935f43ebd86e8c64bfae3a533f152f7 MD5 (NLS_security_fix.42.tar) = e3c26df51d27701d5784225da945de8e =============================================================================== =============================================================================== VULNERABILITY: LIBPATH not ignored for setgid executables PLATFORMS: IBM AIX(r) 3.2.x, 4.1.x, 4.2.x SOLUTION: Apply the fixes described below. THREAT: If exploited, this condition may permit unauthorized super-user access to the system ------------------------------------------------------------------------------- I. Description AIX does not ignore the LIBPATH environment variable when executing setgid executables. II. Impact Unprivileged users may gain access to system groups. There have been reports of this being used to gain root access from a local account. III. Fixes AIX 3.2: APAR IX66299 (PTF U447666) AIX 4.1: APAR IX66340 AIX 4.2: APAR IX66344 ============================================================================= ============================================================================= CERT(sm) Advisory CA-97.06 Original issue date: February 6, 1997 Last revised: -- Topic: Vulnerability in rlogin/term ----------------------------------------------------------------------------- See the appropriate release below to determine your action. AIX 3.2: APAR IX57724 AIX 4.1: APAR IX57972 AIX 4.2: No APAR required. ============================================================================= ============================================================================= CERT(sm) Advisory CA-97.05 Original issue date: January 28, 1997 Last revised: -- Topic: MIME Conversion Buffer Overflow in Sendmail Versions 8.8.3 and 8.8.4 ----------------------------------------------------------------------------- The version of sendmail shipped with AIX is not vulnerable to the 7 to 8 bit MIME conversion vulnerability detailed in this advisory. ============================================================================= ============================================================================= CERT(sm) Advisory CA-97.04 Original issue date: January 27, 1997 Last revised: -- Topic: talkd Vulnerability ----------------------------------------------------------------------------- The version of talkd shipped with AIX is vulnerable to the conditions described in this advisory. The APARs listed below will be available shortly. It is recommended that the talkd daemon be turned off until the APARs are applied. AIX 3.2: APAR IX65474 AIX 4.1: APAR IX65472 AIX 4.2: APAR IX65473 ============================================================================= ============================================================================= CERT(sm) Advisory CA-96.26 Original issue date: December 18, 1996 Last revised: -- Topic: Denial-of-Service Attack via ping ----------------------------------------------------------------------------- See the appropriate release below to determine your action. AIX 3.2 ------- APAR - IX59644 (PTF - U444227 U444232) AIX 4.1 ------- APAR - IX59453 AIX 4.2 ------- APAR - IX61858 IBM SNG Firewall ---------------- NOTE: The fixes in this section should ONLY be applied to systems running the IBM Internet Connection Secured Network Gateway (SNG) firewall software. They should be applied IN ADDITION TO the IBM AIX fixes listed in the previous section. IBM SNG V2.1 ------------ APAR - IR33376 PTF UR46673 IBM SNG V2.2 ------------ APAR - IR33484 PTF UR46641 ============================================================================= ============================================================================= CERT(sm) Advisory CA-96.25 Original issue date: December 10, 1996 Last revised: -- Topic: Sendmail Group Permissions Vulnerability ----------------------------------------------------------------------------- The version of sendmail that ships with AIX is vulnerable to the conditions listed in this advisory. A fix is in progress, and will be delivered in the following APARs. AIX 3.2: IX64460 AIX 4.1: IX64459 AIX 4.2: IX64443 ============================================================================= ============================================================================= ERS-SVA-E01-1996:008.1 03 December 1996 18:30 GMT VULNERABILITY: The "lquerypv" command does not correctly enforce file access permissions. ----------------------------------------------------------------------------- See the appropriate release below to determine your action. AIX 3.2.x --------- Not vulnerable; no fix necessary. AIX 4.1.x --------- APAR - IX64203 AIX 4.2.x --------- APAR - IX64204 ============================================================================= ============================================================================= ERS-SVA-E01-1996:007.1 03 December 1996 18:30 GMT VULNERABILITY: Possible buffer overrun condition in "gethostbyname()" library function ----------------------------------------------------------------------------- See the appropriate release below to determine your action. AIX 3.2.x --------- APAR - IX60927 (PTF - U443452,U444191,U444206,U444213,U444233,U444244) AIX 4.1.x --------- APAR - IX61019 AIX 4.2.x --------- APAR - IX62144 ============================================================================= ============================================================================= ERS-SVA-E01-1996:006.1 03 December 1996 18:30 GMT VULNERABILITY: "Ping o' Death" and SYN flood attacks ----------------------------------------------------------------------------- See the appropriate release below to determine your action. A. The SYN Flood Attack AIX 3.2.5 --------- No APAR available; upgrade to AIX 4.x recommended AIX 4.1.x --------- APAR - IX62476 AIX 4.2.x --------- APAR - IX62428 B. The "Ping o' Death" Attack AIX 3.2.5 --------- APAR - IX59644 AIX 4.1.x --------- APAR - IX59453 AIX 4.2.x --------- APAR - IX61858 NOTE: The fixes in this section should ONLY be applied to systems running the IBM Internet Connection Secured Network Gateway (SNG) firewall software. They should be applied IN ADDITION TO the IBM AIX fixes listed in the previous section. IBM SNG V2.1 ------------ APAR - IR33376 PTF UR46673 IBM SNG V2.2 ------------ APAR - IR33484 PTF UR46641 ============================================================================= ============================================================================= CERT(sm) Advisory CA-96.24 Original issue date: November 21, 1996 Last revised: -- Topic: Sendmail Daemon Mode Vulnerability ----------------------------------------------------------------------------- See the appropriate release below to determine your action. AIX 3.2 ------- No fix required. AIX 3.2 sendmail is not vulnerable. AIX 4.1 ------- No fix required. AIX 4.1 sendmail is not vulnerable. AIX 4.2 ------- AIX 4.2 sendmail is vulnerable. APAR IX63068 will be available shortly. ============================================================================= ============================================================================= CERT(sm) Advisory CA-96.21 Original issue date: September 19, 1996 Last revised: September 24, 1996 Topic: TCP SYN Flooding and IP Spoofing Attacks ----------------------------------------------------------------------------- Although AIX is likely no more or less vulnerable to this type of attack than any other vendor, IBM does recommend the following fixes to harden your AIX system against external TCP protocol attacks. AIX 3.2 ------- Apply the following fixes to your system: APAR - IX59644 AIX 4.1 ------- Apply the following fixes to your system: APAR - IX58507 AIX 4.2 ------- Apply the following fixes to your system: APAR - IX58905 ============================================================================= ============================================================================= CERT(sm) Advisory CA-96.20 Original issue date: September 18, 1996 Last revised: -- Topic: Sendmail Vulnerabilities ----------------------------------------------------------------------------- *** This advisory supersedes CA-95:05 *** IBM Corporation ================ The following APARs are being developed and will be available shortly. See the appropriate release below to determine your action. AIX 3.2 ------- APAR - IX61303 IX61307 AIX 4.1 ------- APAR - IX61162 IX61306 AIX 4.2 ------- APAR - IX61304 IX61305 ============================================================================= ============================================================================= CERT(sm) Advisory CA-96.14 July 24, 1996 Topic: Vulnerability in rdist ----------------------------------------------------------------------------- AIX is vulnerable to this problem. Fixes are in process but are not yet available. The APAR numbers for the fixes are given below. In the meantime, we recommend removing the setuid bit from the /usr/bin/rdist program. To remove the setuid bit, follow these instructions. As the root user, type: chmod u-s /usr/bin/rdist AIX 3.2 ------- APAR - IX59741 AIX 4.1 ------- APAR - IX59742 AIX 4.2 ------- APAR - IX59743 ============================================================================= ============================================================================= CERT(sm) Advisory CA-96.09 April 24, 1996 Topic: Vulnerability in rpc.statd ----------------------------------------------------------------------------- AIX 3.2 ------- APAR - IX56056 (PTF - U441411) AIX 4.1 ------- APAR - IX55931 ============================================================================= ============================================================================= CERT(sm) Advisory CA-96.08 April 18, 1996 Topic: Vulnerabilities in PCNFSD ----------------------------------------------------------------------------- AIX 3.2 ------- APAR - IX57623 (PTF - U442633) APAR - IX56965 (PTF - U442638) AIX 4.1 ------- APAR - IX57616 APAR - IX56730 ============================================================================= ============================================================================= Topic: AIX 3.2.5 rmail vulnerability Source: IBM AIX Response Team IBM AIX Security Advisory Friday April 12, 1996 --------------------------------------------------------------------- I. Description: IBM has become aware of a potential security exposure with the rmail command on version 3 of the AIX operating system. Version 4 does not contain this vulnerability. II. Impact: A user can gain unauthorized access to another user's mail. III. Solution: There are two possible solutions to this vulnerability. IBM urges you to use the first solution since it is the quickest solution. 1) As root, execute the following command: /usr/bin/chmod 555 /usr/bin/rmail /bin/rmail 2) Apply the following APAR to your system once the APAR is available: APAR - IX57680 ============================================================================= ============================================================================= This is in response to the following advisories, which were identical. IBM-ERS ERS-SVA-C01-1996:001.1 CIAC G-09 CERT VU#6093 IBM has incorporated options into sendmail that disable the VRFY and EXPN features of sendmail. Use the '-o' parameter on the command line or the O control line in the configuration file to activate these options. Security options for the SMTP server (daemon) mode of sendmail are: + Turns on secure SMTP. When enabled, this option disables the VRFY and EXPN commands. These commands are required and do run, but they echo their argument back to the user rather than expanding the argument to indicate whether it is valid or invalid. - Turns on SMTP security logging. When enabled, any use of the VRFY and EXPN commands is logged, even if the commands are disabled by the + option. Any invalid user given to the RCPT command is also logged. The log message is sent to syslogd as a mail.warning message. The message includes the date, time, user's hostname, command, and argument given to SMTP. AIX 3.2 ------- APAR - IX41105 (PTF U426334) AIX 4.1 ------- APAR - IX49343 (bos.net.tcp.client 4.1.2.2 or later) ============================================================================= ============================================================================= CA-95:17 CERT Advisory December 12, 1995 rpc.ypupdated Vulnerability ----------------------------------------------------------------------------- AIX 3.2 ------- APAR - IX55360 (PTF U440666) AIX 4.1 ------- APAR - IX55363 ============================================================================= ============================================================================= VB-95:08 CERT Vendor-Initiated Bulletin November 2, 1995 ----------------------------------------------------------------------------- Patches for AIX 3.2 and AIX 4.1 are available now via anonymous FTP from software.watson.ibm.com/pub/aix/xdm. AIX 3.2 xdm.325 AIX 4.1 xdm.41 Please replace your /usr/bin/X11/xdm with these versions. Official fixes will be available in approximately 4 weeks under the following APAR numbers: AIX 3.2 IX54679 AIX 4.1 IX54680 ============================================================================= ============================================================================= CA-95:14 CERT Advisory November 1, 1995 Telnetd Environment Vulnerability ----------------------------------------------------------------------------- IBM AIX is not vulnerable to the conditions described in this CERT Advisory. ============================================================================= ============================================================================= CA-95:13 CERT Advisory October 19, 1995 Syslog Vulnerability - A Workaround for Sendmail ----------------------------------------------------------------------------- IBM Corp. - AIX 3.2 and AIX 4.1 Fixes can be obtained by ordering the following APARs using FixDist or by contacting the IBM Support Center. AIX 3.2 IX53358 AIX 4.1 IX53718 ==============================================================================
Current thread:
- Re: IRC script trojan with Unix based clients Leonid S Knyshov (Jun 01)
- Re: IRC script trojan with Unix based clients Roger Espel Llima (Jun 02)
- Re: IRC script trojan with Unix based clients Alan Brown (Jun 02)
- AIX Security APARs Aleph One (Jun 02)
- <Possible follow-ups>
- Re: IRC script trojan with Unix based clients Paul Roberts (Jun 02)