[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Local AIX 4.{3,2}.x vulnerabilities

Title: Local AIX 4.{3,2}.x vulnerabilities
Released by: Esa Etelavuori and Jouko Pynnö
Date: 1st December 2000
Printable version: Click here 
-----BEGIN PGP SIGNED MESSAGE-----



Just for the record, here are some local AIX vulnerabilities we have found,

and which have been fixed by IBM this year. If you have been applying fixes,

there should be no problem with these anymore. But it might be interesting

to know what some of those massive fixes available on IBM's site actually are

correcting.



Release Date: 20001201



System



    AIX 4.{3,2}.x



Affected Programs



    setuid root                          V43 APARs  V42 APARs

        /usr/bin/setsenv *                IY08812    IY10721

            [ x=$s ]

        /usr/lib/lpd/digest *             IY08143    IY08287

            [ $s x ]

        /usr/sbin/portmir *               IY07832

            [ -t $s -d x ]

        /usr/bin/enq                      IY08143    IY08287

            [ -M $s ]

        /usr/bin/setclock                 IY07831    IY07790

            [ $s ]

        /usr/lib/lpd/pio/etc/pioout       IY12638

            [ PIO{DEVNAME,PTRTYPE}=$s ]



    setgid printq

        /usr/lib/lpd/piobe *              IY12638

            [ PIOSTATUSFILE=x PIO{TITLE,VARDIR}=$s ]

        /usr/lib/lpd/pio/etc/piomkapqd *  IY12638

            [ -p $s ]

        /usr/bin/splp                     IY12638

            [ $s ]

                                          [*] Confirmed exploitable.



Description



    Exploitable buffer overflows in several setuid and setgid binaries (libs)

    allow local users to gain root access. Portmir can also be used to kill

    other processes as root.



Details



    AIX has a world writable system lock directory which allows playing with

    hardlinks to kill other processes like cron using portmir. The portmir

    overflow is trivial to exploit. Note that these are yet additional

    vulnerabilities to those corrected in 1997.



    Gaining access to printq group gives write access to printer subsystem

    configuration files and directories which contain other binaries. Printer

    subsys programs seem to expect that they are executed by other printer

    programs with correctly set up environment. There are nicely looking

    variables such as PIO_IPCWRITEFD. Printq group has also access to run

    several other suid root binaries from which atleast /usr/lib/lpd/digest

    is exploitable.



    The overflow in digest is a bit more interesting. Our exploit uses two

    overflows. The first one overwrites a pointer located after an overflowed

    library (?) buffer which overflows another buffer on the stack afterwards.

    By that time digest has "dropped" its privileges, but the saved uid is

    still zero.



    Enq was not examined at all. Buffer overflows in setclock and splp happen

    in main(), so atleast argv and env pointers can be overwritten, but seems

    like no interesting data can be accessed. Pioout dies due to never-ending

    strcpy() of the stored PIODEVNAME environment variable on the heap.



    That does not mean they are not exploitable, we just did not investigate

    them thoroughly because debugging binary only executables on free time

    with no reason gets boring quite quickly. Or maybe we interpreted the

    disassembly wrong.



Solution



    Fixes have been available at

    http://techsupport.services.ibm.com/rs6k/fixes.html for some time.



    Notifications of security fixes can be get by sending email to

    aixserv@austin.ibm.com with a subject of "subscribe Security_APARs".



    Proactive measures such as stripping s[ug]id bits from unused binaries,

    limiting access to the rest of them, and possibly applying suid wrappers

    for command line arguments and environment variables are recommended.

    IBM's informative web site has other AIX specific security guides.



    We have not verified that the fixes are working due to lack of resources.

    If someone is willing to give me (EE) access to a new AIX based

    (super)computer and does not mind occasional system crashes, I might

    provide a complete report. :-)



Credits & Acknowledgements



    Vulnerabilities were found by Esa Etelavuori (http://www.iki.fi/ee/)

    and Jouko Pynnönen (jouko@solutions.fi).



    Thanks to Troy Bollinger and others of the AIX security team for swift

    responses.



-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.0.4 (DreamOS)

Comment: For info see http://www.gnupg.org



iQCVAwUBOicMvVZDrCkIweM9AQGqGwQAmlkFT9qqvPwYSE83/SPctScwqq7Qk6Zj

+G8ms7f5BdPvdazAsadH3l31FpaET5sZdYuiUcHEfXAOIbQbT1mJWEnVDaVVbj2p

zmCNJXO6CpjC5GtxImV5fE+F8aD9c0lV156ZUasiWyCc1YZt0hzpxl3eUOtJ11qe

8OHs85Hbozk=

=Q6S6

-----END PGP SIGNATURE-----






(C) 1999-2000 All rights reserved.