-----BEGIN PGP SIGNED MESSAGE-----


===============================================================================
Security Advisory                                                       CERT-NL
===============================================================================
Author/Source : Gert Meijerink                              Index  :    S-96-72
Distribution  : World                                       Page   :
Classification: External                                    Version:
Subject       : IBM-AIX gethostbyname vulnerability         Date   :   3-dec-96
===============================================================================

By courtesy of IBM-ERS, we received information on a vulnerability in
IBM AIX gethostbyname() library function

CERT-NL recommends that sites apply the solutions given in part III.
===============================================================================
03 December 1996 18:30 GMT                       Number: ERS-SVA-E01-1996:007.1
===============================================================================
                             VULNERABILITY  SUMMARY

VULNERABILITY:  Possible buffer overrun condition in "gethostbyname()" library
                function

PLATFORMS:      IBM AIX(r) 3.2.x, 4.1.x, 4.2.x

SOLUTION:       Apply the fixes described below

THREAT:         If exploited, this condition may permit unauthorized super-user
                access to the system

===============================================================================
                              DETAILED INFORMATION

I. Description

In TCP/IP networks such as the Internet and many corporate networks, hosts are
identified by 32-bit numbers called addresses.  However, because these numbers
are difficult to remember, names are also given to hosts.  Although people use
the names to refer to the hosts, computer software must translate these names
into the numeric addresses in order to use them.

The Domain Name System (DNS), also called "the name server," is the primary
database used to perform these name-to-address (and address-to-name)
translations.  Other databases, such as the Network Information System (NIS,
formerly called Yellow Pages) and the "hosts file" are also used on some
systems.

When a program on a UNIX system wants to look up a host's name and obtain its
network address, it uses a library function called "gethostbyname()."  This
function takes a host name as a parameter, contacts the Domain Name System (or
another source of information), and returns the host's address(es) to the
program.  This saves the programmer the trouble of writing the complex code to
interface with the name server.

Under certain conditions, the "gethostbyname()" library function provided with
IBM AIX versions 3.2.x, 4.1.x, and 4.2.x can encounter a buffer overrun that
allows information on the program stack to be corrupted.

II. Impact

Many set-user-id and set-group-id programs, as well as many network programs
running with super-user privileges, make use of the "gethostbyname()" library
function.  Corrupting the program stack of these programs may allow arbitrary
user-provided code to be executed inadvertently.

If successfully exploited, this buffer overrun condition could be used to gain
super-user access to the system.  Such an action could be initiated over the
network from a remote system, or by a user on the local system.  Penetration
through a firewall may also be possible, depending on which services and
applications are permitted by the firewall system.

A script that exploits a similar buffer overrun condition in the Sun Solaris
2.x version of "gethostbyname()" was publicly released in November, 1996.  Sun
Microsystems announced fixes for that condition in Security Bulletin 137, which
was released on 20 Nov 96.

As of this writing, IBM-ERS is not aware of any similar exploitation script for
the AIX operating system, nor are we aware of any successful exploitations of
this condition (against either AIX systems or Solaris systems).

III. Solutions

The following Automated Program Analysis Reports (APARs) for IBM AIX are now
available to address the concerns described above:

  AIX 3.2.x
  ---------
    APAR - IX60927 (PTF - U443452,U444191,U444206,U444213,U444233,U444244)

    To determine if you have this PTF on your system, run the following
    command:

        lslpp -lB U443452 U444191 U444206 U444213 U444233 U444244

  AIX 4.1.x
  ---------
    APAR - IX61019

    To determine if you have this APAR on your system, run the following
    command:

       instfix -ik IX61019

  AIX 4.2.x
  ---------
    APAR - IX62144

    To determine if you have this APAR on your system, run the following
    command:

       instfix -ik IX62144

IBM AIX APARs may be ordered using Electronic Fix Distribution (via the
FixDist program), or from the IBM Support Center.  For more information on
FixDist, and to obtain fixes via the Internet, please reference

        http://service.software.ibm.com/aixsupport/

or send electronic mail to "aixserv@austin.ibm.com" with the word "FixDist" in
the "Subject:" line.

IV. Acknowledgements

IBM-ERS would like to thank the CERT Coordination Center (CERT/CC), AUSCERT,
Sun Microsystems, and Marko Laakso (University of Oulu) for providing some of
the information in this advisory.

AIX is a registered trademark of International Business Machines Corporation.

Copyright 1996 International Business Machines Corporation.
===============================================================================
=============================================================================
CERT-NL is the Computer Emergency Response Team for SURFnet customers.
SURFnet is the Dutch network for educational, research and related institutes.
CERT-NL is a member of the Forum of Incident Response and Security Teams
(FIRST).

All CERT-NL material is available under:
  http://www.surfnet.nl/surfnet/security/cert-nl.html
  ftp://ftp.surfnet.nl/surfnet/net-security

In case of computer or network security problems please contact your
local CERT/security-team or CERT-NL  (if your institute is NOT a SURFnet
customer please address the appropriate (local) CERT/security-team).

CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer,
i.e. UTC+0100 in winter and UTC+0200 in summer (DST).
   Email:     cert-nl@surfnet.nl
   Phone:     +31 302 305 305
   Fax:       +31 302 305 329
   Snailmail: SURFnet bv
       Attn. CERT-NL
       P.O. Box 19035
       NL - 3501 DA  UTRECHT
       The Netherlands
   A 7 * 24 hours phone number is available to SURFnet SSC's and FIRST
   members on request.
==============================================================================


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: cp850

iQCVAwUBMqSdtmL2fnkJN/jpAQGfJgP/anSn74EihaAJa5QuFS9GrUnl7881+YIH
P/cWVliBBBlzfDDIGQHGabzZjfPhMg5Rgul866ZwInTloSjmW+gbIaIjBwZNTzgM
BhAokW8qMMHn5XvRAqIWU/dXhPVcrzULFNo3+eZfr8BRW07t86Sae7oB5O1MAOr4
Q3oGX6jYrIs=
=7u1J
-----END PGP SIGNATURE-----