aix __ bos.rte.printers __ format string vulnerability

["Sergey Kuprin" <Sergey.Kuprin () warehouse ru>]

there is a local (and possibly remote) format string vulnerability in
package bos.rte.printers.
feeding /usr/bin/enq with arguments containing formatstring characters it
can result in seg_fault.
the research of this problem with acknowledgements of exact arguments and
configuration types
wasn't done.

the enq utility is a part of qdaemon printing system. it can be called in
different cases.
so in special cases it is possible to force pass formatstring via print
queue. it isn't checked on
practice.

as enq-utility on most systems have suid-flag, we can gain privileges of
owner (typicaly root).

as mentioned we have local and remote formatstring bug with ability to gain
root privileges.

to prove local vulnerabily we must have permissions to execute enq and
construct formatstring
which executes our code. to prove remote vulnerabily the closer view and
investigation is needed.

(ruff@first) /home/ruff> oslevel
4.3.3.0
(ruff@first) /home/ruff> ls -alF /usr/bin/enq
-r-sr-sr-x   1 root     printq     69980 Apr 20 2001  /usr/bin/enq*

(ruff@first) /home/ruff> lslpp -h bos.rte.printers
  Fileset         Level     Action       Status       Date         Time

----------------------------------------------------------------------------
Path: /usr/lib/objrepos
  bos.rte.printers
                 4.3.3.75   COMMIT       COMPLETE     10/25/03     22:50:17

Path: /etc/objrepos
  bos.rte.printers
                 4.3.3.75   COMMIT       COMPLETE     10/25/03     22:50:17

(ruff@first) /home/ruff> enq -P%08x%08x%08x%08x%08x%08x
enq: (FATAL ERROR): Bad queue or device name:
2ff20dae0000000000000000000000000000000100808080.
(ruff@first) /home/ruff> enq -P%n%n
enq: (FATAL ERROR): Bad queue or device name: Segmentation fault
(ruff@first) /home/ruff>