Bugtraq mailing list archives
Fixed local AIX V43 vulnerabilities
From: Esa Etelavuori <eetelavu () CC HUT FI>
Date: Fri, 1 Dec 2000 04:33:48 +0200
-----BEGIN PGP SIGNED MESSAGE----- Just for the record, here are some local AIX vulnerabilities we have found, and which have been fixed by IBM this year. If you have been applying fixes, there should be no problem with these anymore. But it might be interesting to know what some of those massive fixes available on IBM's site actually are correcting. Release Date: 20001201 System AIX 4.{3,2}.x Affected Programs setuid root V43 APARs V42 APARs /usr/bin/setsenv * IY08812 IY10721 [ x=$s ] /usr/lib/lpd/digest * IY08143 IY08287 [ $s x ] /usr/sbin/portmir * IY07832 [ -t $s -d x ] /usr/bin/enq IY08143 IY08287 [ -M $s ] /usr/bin/setclock IY07831 IY07790 [ $s ] /usr/lib/lpd/pio/etc/pioout IY12638 [ PIO{DEVNAME,PTRTYPE}=$s ] setgid printq /usr/lib/lpd/piobe * IY12638 [ PIOSTATUSFILE=x PIO{TITLE,VARDIR}=$s ] /usr/lib/lpd/pio/etc/piomkapqd * IY12638 [ -p $s ] /usr/bin/splp IY12638 [ $s ] [*] Confirmed exploitable. Description Exploitable buffer overflows in several setuid and setgid binaries (libs) allow local users to gain root access. Portmir can also be used to kill other processes as root. Details AIX has a world writable system lock directory which allows playing with hardlinks to kill other processes like cron using portmir. The portmir overflow is trivial to exploit. Note that these are yet additional vulnerabilities to those corrected in 1997. Gaining access to printq group gives write access to printer subsystem configuration files and directories which contain other binaries. Printer subsys programs seem to expect that they are executed by other printer programs with correctly set up environment. There are nicely looking variables such as PIO_IPCWRITEFD. Printq group has also access to run several other suid root binaries from which atleast /usr/lib/lpd/digest is exploitable. The overflow in digest is a bit more interesting. Our exploit uses two overflows. The first one overwrites a pointer located after an overflowed library (?) buffer which overflows another buffer on the stack afterwards. By that time digest has "dropped" its privileges, but the saved uid is still zero. Enq was not examined at all. Buffer overflows in setclock and splp happen in main(), so atleast argv and env pointers can be overwritten, but seems like no interesting data can be accessed. Pioout dies due to never-ending strcpy() of the stored PIODEVNAME environment variable on the heap. That does not mean they are not exploitable, we just did not investigate them thoroughly because debugging binary only executables on free time with no reason gets boring quite quickly. Or maybe we interpreted the disassembly wrong. Solution Fixes have been available at http://techsupport.services.ibm.com/rs6k/fixes.html for some time. Notifications of security fixes can be get by sending email to aixserv () austin ibm com with a subject of "subscribe Security_APARs". Proactive measures such as stripping s[ug]id bits from unused binaries, limiting access to the rest of them, and possibly applying suid wrappers for command line arguments and environment variables are recommended. IBM's informative web site has other AIX specific security guides. We have not verified that the fixes are working due to lack of resources. If someone is willing to give me (EE) access to a new AIX based (super)computer and does not mind occasional system crashes, I might provide a complete report. :-) Credits & Acknowledgements Vulnerabilities were found by Esa Etelavuori (http://www.iki.fi/ee/) and Jouko Pynnönen (jouko () solutions fi). Thanks to Troy Bollinger and others of the AIX security team for swift responses. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (DreamOS) Comment: For info see http://www.gnupg.org iQCVAwUBOicMvVZDrCkIweM9AQGqGwQAmlkFT9qqvPwYSE83/SPctScwqq7Qk6Zj +G8ms7f5BdPvdazAsadH3l31FpaET5sZdYuiUcHEfXAOIbQbT1mJWEnVDaVVbj2p zmCNJXO6CpjC5GtxImV5fE+F8aD9c0lV156ZUasiWyCc1YZt0hzpxl3eUOtJ11qe 8OHs85Hbozk= =Q6S6 -----END PGP SIGNATURE-----
Current thread:
- Fixed local AIX V43 vulnerabilities Esa Etelavuori (Dec 02)