Bugtraq mailing list archives
Format string vulnerability in AIX(r) locale subsystem.
From: IGS ERS Advisory Service/Charlotte/IBM <advisory () US IBM COM>
Date: Mon, 30 Oct 2000 08:25:02 -0500
-----BEGIN PGP SIGNED MESSAGE-----
- ---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL
RELEASE---
IBM
EMERGENCY RESPONSE SERVICE
FOR YOUR INFORMATION
25 OCT 2000 22:40 GMT Number:
ERS-FYI-E01-2000:078.1
===============================================================================
THIS IS NOT A SECURITY VULNERABILITY ALERT
IBM-ERS For Your Information (FYI) documents are designed to provide
customers
of the IBM Emergency Response Service with information about current topics
in
the fields of Internet and virus security. FYI documents will be issued
periodically as the need arises. Topics may include security implications
of
new protocols in use on the Internet, implementation suggestions for
certain
types of services, virus hype and hoaxes, and answers to frequently asked
questions.
===============================================================================
TODAY'S TOPIC
Format string vulnerability in AIX(r) locale subsystem.
CONTENTS
I. DESCRIPTION
II. IMPACT
III. SOLUTIONS
IV. OBTAINING FIXES
v. ACKNOWLEDGEMENTS
VI. CONTACT INFORMATION
===========================================================================
VULNERABILITY SUMMARY
VULNERABILITY: Format string vulnerability in AIX(r) locale subsystem.
PLATFORMS: IBM AIX 3.2.x, 4.1.x, 4.2.x, 4.3.x
SOLUTION: Apply the fixes listed below.
THREAT: Local users can gain root access.
CVE candidate: CAN-2000-0844
===========================================================================
DETAILED INFORMATION
I. Description
AIX allows user specified locale file to be used for displaying
messages. This functionality is provided through the catopen() call.
This call uses the NLSPATH environment variable to specify an alternate
locale file instead of one of the system locale files. By constructing
a valid locale file which contains special format characters and
setting the NLSPATH environment variable to point to its path, a
malicious user can have privileged applications use his locale file to
obtain root privileges.
II. Impact
Any executable with the setuid or setgid bit set is potentially
vulnerable to root compromise.
II. Solutions
A. Official fix
IBM is working on the following fix which will be available
soon:
AIX 4.3.x: IY13753
NOTE: Fix will not be provided for versions prior to 4.3 as
these are no longer supported by IBM. Affected customers are
urged to upgrade to 4.3, or higher.
B. How to minimize the vulnerability
A temporary fix for AIX 4.3.x systems is available which ignores
the NLSPATH environment variable. Note that pending standards
compliance review, the actual APAR fix may or may not be
implemented the same way. The temporary fix can be downloaded
via ftp from:
ftp://aix.software.ibm.com/aix/efixes/security/locale_format_efix.tar.Z
The MD5 checksum for the efix libc is:
Filename sum md5
=================================================================
libc.a 12878 6149 f8169a0c985220874c0404b4c69d5f20
This temporary fix has not been fully regression tested. Do the
following steps (as root) to install the temporary fix:
1. Determine the version of the libc fileset on your machine.
# lslpp -l bos.rte.libc
If the version of the libc.a fileset for your machine is not
at the level given below, install the requisite APAR
listed. This will help ensure that the libc fix will run
properly.
Release Fileset Version requisite APAR
============================================================
AIX 4.3.x bos.rte.libc 4.3.3.25 IY12541
2. Uncompress and extract the fix.
a. place the temporary fix in a directory of your choosing, e.g.,
"your_dir";
using /tmp as your_dir is a reasonable choice
b. # uncompress < locale_format_efix.tar.Z | tar xf -
The efix libc.a will be extracted to your_dir/locale_format/lib
3. Make sure the new libc.a works on your system.
a. # slibclean
b. # export LIBPATH=your_dir/locale_format/lib
c. # ls your_dir
NOTE: This "ls" is a simple test to make sure the new libc.a works.
If this does *NOT* work (i.e. you get a "killed" message), then do
*NOT* go further...this libc.a does not work on your system.
4. Follow the instructions below to install the new libc.a.
Make a copy of the original libc.a (make sure there is enough
free apace in the filesystem to for you to work with), e.g.,
a. # mkdir /usr/ccs/lib/sv
b. # cp /usr/ccs/lib/libc.a /usr/ccs/lib/sv
Copy the libc.a fix into place, e.g.,
a. # cp -f your_dir/locale_format/lib/libc.a /usr/ccs/lib/
b. # chown bin.bin /usr/ccs/lib/libc.a
c. # chmod 555 /usr/ccs/lib/libc.a
d. # ln -sf /usr/ccs/lib/libc.a /usr/lib/libs.a
e. # unset LIBPATH
f. # slibclean
Make sure that the new libraries will be picked up at
the next reboot.
# bosboot -a
4. Reboot.
IV. Obtaining Fixes
IBM AIX APARs may be ordered using Electronic Fix Distribution (via the
FixDist program), or from the IBM Support Center. For more information
on FixDist, and to obtain fixes via the Internet, please reference
http://techsupport.services.ibm.com/rs6k/fixes.html
or send email to "aixserv () austin ibm com" with the word "FixDist" in the
"Subject:" line.
To facilitate ease of ordering all security related APARs for each AIX
release, security fixes are periodically bundled into a cumulative APAR.
For more information on these cumulative APARs including last update and
list of individual fixes, send email to "aixserv () austin ibm com" with
the word "subscribe Security_APARs" in the "Subject:" line.
V. Acknowledgements
Thanks to Ivan Arce of CORE-SDI for bringing this vulnerability to
our attention.
VI. Contact Information
Comments regarding the content of this announcement can be directed to:
security-alert () austin ibm com
To request the PGP public key that can be used to encrypt new AIX
security vulnerabilities, send email to security-alert () austin ibm com
with a subject of "get key".
If you would like to subscribe to the AIX security newsletter, send a
note to aixserv () austin ibm com with a subject of "subscribe Security".
To cancel your subscription, use a subject of "unsubscribe Security".
To see a list of other available subscriptions, use a subject of
"help".
IBM and AIX are a registered trademark of International Business
Machines Corporation. All other trademarks are property of their
respective holders.
===============================================================================
IBM's Internet Emergency Response Service (IBM-ERS) is a subscription-based
Internet security response service that includes computer security incident
response and management, regular electronic verification of your Internet
gateway(s), and security vulnerability alerts similar to this one that are
tailored to your specific computing environment. IBM's Virus Emergency
Response Service is a subscription-based service that provides assistance
with virus risk and emergency management. By acting as an extension of
your
own internal security staff, IBM-ERS's team of security experts helps you
quickly detect and respond to attacks and exposures to your I/T
infrastructre.
As a part of IBM's Business Continuity Recovery Services organization, the
IBM Emergency Response Service is a component of IBM's SecureWay(tm)
line of security products and services. From hardware to software to
consulting, SecureWay solutions can give you the assurance and expertise
you
need to protect your valuable business resources. To find out more about
the
IBM Emergency Response Service, send an electronic mail message to
ers-sales () ers ibm com, or call 1-800-426-7378.
IBM-ERS maintains a site on the World Wide Web at http://www.ers.ibm.com/.
Visit the site for information about the service, copies of security
alerts,
team contact information, and other items.
IBM-ERS uses Pretty Good Privacy* (PGP*) as the digital signature mechanism
for
security vulnerability alerts and other distributed information. The
IBM-ERS
PGP* public key is available from
http://www.ers.ibm.com/team-info/pgpkey.html.
"Pretty Good Privacy" and "PGP" are trademarks of Philip Zimmermann.
IBM-ERS is a Member Team of the Forum of Incident Response and Security
Teams
(FIRST), a global organization established to foster cooperation and
response
coordination among computer security teams worldwide.
Copyright 2000 International Business Machines Corporation.
The information in this document is provided as a service to customers of
the IBM Emergency Response Service. Neither International Business
Machines
Corporation, nor any of its employees, makes any warranty, express or
implied,
or assumes any legal liability or responsibility for the accuracy,
complete-
ness, or usefulness of any information, apparatus, product, or process
contained herein, or represents that its use would not infringe any
privately
owned rights. Reference herein to any specific commercial products,
process,
or service by trade name, trademark, manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation or favoring
by IBM or its subsidiaries. The views and opinions of authors expressed
herein do not necessarily state or reflect those of IBM or its
subsidiaries,
and may not be used for advertising or product endorsement purposes.
The material in this document may be reproduced and distributed, without
permission, in whole or in part, by other security incident response teams
(both commercial and non-commercial), provided the above copyright is kept
intact and due credit is given to IBM-ERS.
This document may be reproduced and distributed, without permission, in its
entirety only, by any person provided such reproduction and/or distribution
is performed for non-commercial purposes and with the intent of increasing
the awareness of the Internet community.
- ---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL
RELEASE---
-----BEGIN PGP SIGNATURE-----
Version: 2.7.1
iQCVAwUBOfditPWDLGpfj4rlAQEWXgP/XZ4Ry7gX77SHBfy1nEvpNb2YGq/aRf+s
ow8iZGJKPFX6b+cP7fJaMFW+gPlSpy54VpktAdmCIfaF4cg1oEQKhQj9s2IAmqop
qeY13jjTVkBoDbIjQjdcRMngAMxKcyjHotmbKfMr3mRZL/yIZRZxWJQ0+az9FKON
LMABsUXQn7U=
=TERd
-----END PGP SIGNATURE-----
Current thread:
- Format string vulnerability in AIX(r) locale subsystem. IGS ERS Advisory Service/Charlotte/IBM (Oct 31)