Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Fixed local AIX V43 vulnerabilities

From: Esa Etelavuori <eetelavu () CC HUT FI>
Date: Fri, 1 Dec 2000 04:33:48 +0200
-----BEGIN PGP SIGNED MESSAGE-----

Just for the record, here are some local AIX vulnerabilities we have found,
and which have been fixed by IBM this year. If you have been applying fixes,
there should be no problem with these anymore. But it might be interesting
to know what some of those massive fixes available on IBM's site actually are
correcting.

Release Date: 20001201

System

    AIX 4.{3,2}.x

Affected Programs

    setuid root                          V43 APARs  V42 APARs
        /usr/bin/setsenv *                IY08812    IY10721
            [ x=$s ]
        /usr/lib/lpd/digest *             IY08143    IY08287
            [ $s x ]
        /usr/sbin/portmir *               IY07832
            [ -t $s -d x ]
        /usr/bin/enq                      IY08143    IY08287
            [ -M $s ]
        /usr/bin/setclock                 IY07831    IY07790
            [ $s ]
        /usr/lib/lpd/pio/etc/pioout       IY12638
            [ PIO{DEVNAME,PTRTYPE}=$s ]

    setgid printq
        /usr/lib/lpd/piobe *              IY12638
            [ PIOSTATUSFILE=x PIO{TITLE,VARDIR}=$s ]
        /usr/lib/lpd/pio/etc/piomkapqd *  IY12638
            [ -p $s ]
        /usr/bin/splp                     IY12638
            [ $s ]
                                          [*] Confirmed exploitable.

Description

    Exploitable buffer overflows in several setuid and setgid binaries (libs)
    allow local users to gain root access. Portmir can also be used to kill
    other processes as root.

Details

    AIX has a world writable system lock directory which allows playing with
    hardlinks to kill other processes like cron using portmir. The portmir
    overflow is trivial to exploit. Note that these are yet additional
    vulnerabilities to those corrected in 1997.

    Gaining access to printq group gives write access to printer subsystem
    configuration files and directories which contain other binaries. Printer
    subsys programs seem to expect that they are executed by other printer
    programs with correctly set up environment. There are nicely looking
    variables such as PIO_IPCWRITEFD. Printq group has also access to run
    several other suid root binaries from which atleast /usr/lib/lpd/digest
    is exploitable.

    The overflow in digest is a bit more interesting. Our exploit uses two
    overflows. The first one overwrites a pointer located after an overflowed
    library (?) buffer which overflows another buffer on the stack afterwards.
    By that time digest has "dropped" its privileges, but the saved uid is
    still zero.

    Enq was not examined at all. Buffer overflows in setclock and splp happen
    in main(), so atleast argv and env pointers can be overwritten, but seems
    like no interesting data can be accessed. Pioout dies due to never-ending
    strcpy() of the stored PIODEVNAME environment variable on the heap.

    That does not mean they are not exploitable, we just did not investigate
    them thoroughly because debugging binary only executables on free time
    with no reason gets boring quite quickly. Or maybe we interpreted the
    disassembly wrong.

Solution

    Fixes have been available at
    http://techsupport.services.ibm.com/rs6k/fixes.html for some time.

    Notifications of security fixes can be get by sending email to
    aixserv () austin ibm com with a subject of "subscribe Security_APARs".

    Proactive measures such as stripping s[ug]id bits from unused binaries,
    limiting access to the rest of them, and possibly applying suid wrappers
    for command line arguments and environment variables are recommended.
    IBM's informative web site has other AIX specific security guides.

    We have not verified that the fixes are working due to lack of resources.
    If someone is willing to give me (EE) access to a new AIX based
    (super)computer and does not mind occasional system crashes, I might
    provide a complete report. :-)

Credits & Acknowledgements

    Vulnerabilities were found by Esa Etelavuori (http://www.iki.fi/ee/)
    and Jouko Pynnönen (jouko () solutions fi).

    Thanks to Troy Bollinger and others of the AIX security team for swift
    responses.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (DreamOS)
Comment: For info see http://www.gnupg.org

iQCVAwUBOicMvVZDrCkIweM9AQGqGwQAmlkFT9qqvPwYSE83/SPctScwqq7Qk6Zj
+G8ms7f5BdPvdazAsadH3l31FpaET5sZdYuiUcHEfXAOIbQbT1mJWEnVDaVVbj2p
zmCNJXO6CpjC5GtxImV5fE+F8aD9c0lV156ZUasiWyCc1YZt0hzpxl3eUOtJ11qe
8OHs85Hbozk=
=Q6S6
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: