Bugtraq mailing list archives
ISS Security Advisory: Insecure file handling in IBM frcactrl program
From: aleph1 () UNDERGROUND ORG (Aleph One)
Date: Wed, 26 Apr 2000 16:16:09 -0700
-----BEGIN PGP SIGNED MESSAGE----- ISS Security Advisory April 26, 2000 Insecure file handling in IBM AIX frcactrl program Synopsis: Internet Security Systems (ISS) X-Force has discovered a vulnerability in the AIX frcactrl program. The Fast Response Cache Accelerator (FRCA) is a kernel module that can be used with the IBM HTTP server to improve the performance of a web server. If the FRCA module is loaded, a local attacker could use frcactrl, a program used to manage FRCA configuration, to modify files. Impact: An attacker could gain root privileges by using the frcactrl program if the FRCA kernel module is loaded. Affected Versions: The frcactrl command shipped with AIX 4.3 APAR IY02669 is vulnerable. Description: The AIX Fast Response Cache Accelerator (FRCA) is a kernel extension module that improves the performance of a web server by using a memory cache to store data being served from the web server. FRCA is used primarily with the Apache-based IBM HTTP server, but it may also be used with other web servers. The frcactrl program is used to manage the FRCA configuration and is distributed as part of the base operating system in AIX 4.3. The vulnerability is present on systems with AIX fix IY02669 applied and with the FRCA kernel extension loaded (the kernel extension is not enabled by default). The setuid bit of the frcactrl file is turned on by APAR (Authorized Problem Analysis Report) IY02669, which allows non-root users to configure the module. A malicious user may use frcactrl to manipulate the configuration of the FRCA log files to create, append, or overwrite files as root. Recommendations: ISS recommends that if FRCA is not needed, the module can be unloaded with the following command: # /usr/sbin/frcactrl unload ; /usr/sbin/slibclean Until an official fix is available, IBM recommends removing the setuid bit from the frcactrl command: # chmod 555 /usr/sbin/frcactrl IBM is currently working on the following APARs, which will be available soon: APAR 4.3.x: IY09514 APARs may be ordered using Electronic Fix Distribution (via FixDist) or from the IBM Support Center. For more information on Fix Distribution go to: http://service.software.ibm.com/support/rs6000 or send an email to aixserv () austin ibm com with a subject of "FixDist". Additional Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2000-0249 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. Credits: This vulnerability was discovered and researched by Oliver Atoa-Ortiz of the ISS X-Force. ISS would like to thank IBM for their response and handling of this vulnerability. _____ About Internet Security Systems (ISS) ISS is a leading global provider of security management solutions for e-business. By offering best-of-breed SAFEsuite (tm) security software, industry-leading ePatrol (tm) managed security services, and strategic consulting and education services, ISS is a trusted security provider to its customers, protecting digital assets and ensuring the availability, confidentiality and integrity of computer systems and information critical to e-business success. ISS' lifecycle e-business security management solutions protect more than 5,000 customers including 21 of the 25 largest U.S. commercial banks, 9 of the 10 largest telecommunications companies and over 35 government agencies. Founded in 1994, ISS is headquartered in Atlanta, GA, with additional offices throughout North America and international operations in Asia, Australia, Europe, Latin America and the Middle East. For more information, visit the ISS Web site at www.iss.net or call 888-901-7477. Copyright (c) 2000 by Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this Alert electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert in any other medium excluding electronic medium, please e-mail xforce () iss net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://xforce.iss.net/sensitive.php3 as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X-Force (xforce () iss net) of Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBOQcnEDRfJiV99eG9AQGu+wP/UpKWzpOqg+u8DEy2e+4OS+hNieSEaFXg FhSupLuxlutQKZlKdNDI91OKnKxLG977QkpQzCkZvWRIwYooLsL0Jm/UH9ZDdKyo nneRdnyec48fYgH1ur0IiVdUEsHdFNSYyOGa9UZHVj5bCsrAqtcARtAUsrTTfhRd kFMKRMnr/js= =1p6Q -----END PGP SIGNATURE-----
Current thread:
- Re: More vulnerabilities in FP .sozni (Apr 20)
- <Possible follow-ups>
- Re: More vulnerabilities in FP Thomas Dullien (Apr 21)
- Re: More vulnerabilities in FP Roman (Apr 22)
- Re: More vulnerabilities in FP Daniel Dočekal (Apr 24)
- Re: More vulnerabilities in FP Ian McDonald (Apr 26)
- ISS Security Advisory: Insecure file handling in IBM frcactrl program Aleph One (Apr 26)