-----BEGIN PGP SIGNED MESSAGE----- =============================================================================== Security Advisory CERT-NL =============================================================================== Author/Source : Gert Meijerink Index : S-96-73 Distribution : World Page : Classification: External Version: Subject : Vulnerability in IBM AIX "lquerypv" command Date : 3-dec-96 =============================================================================== By courtesy of IBM-ERS, we received information on a vulnerability in IBM AIX "lquerypv" command CERT-NL recommends that sites apply the solutions given in part III. =============================================================================== 03 December 1996 18:30 GMT Number: ERS-SVA-E01-1996:008.1 =============================================================================== VULNERABILITY SUMMARY VULNERABILITY: The "lquerypv" command does not correctly enforce file access permissions. PLATFORMS: IBM AIX(r) 4.1, 4.2 SOLUTION: Apply the fix described below. THREAT: Users who know how to exploit this vulnerability may be able to read files they would not normally have access to. =============================================================================== DETAILED INFORMATION I. Description The "lquerypv" command is an undocumented, low-level worker program that is a part of the AIX Logical Volume Manager family of commands. When installed, the "lquerypv" command is set-user-id "root", which allows it to run with super-user access permissions. When invoked with the "-h" option, "lquerypv" does not adequately enforce the read permissions on files when it is run by regular (non-"root") users. This can allow users to obtain access to the contents of files that they are not authorized to read. Instructions for exploiting this vulnerability were made available on USENET newsgroups and Internet mailing lists in November, 1996. II. Impact Allowing users to obtain unauthorized access to file contents can reveal such confidential information as encrypted passwords, electronic mail, and other data. III. Solutions A. How to alleviate the problem This problem can be alleviated by removing the set-user-id bit from the "lquerypv" program. To do this, execute the following command as "root": chmod u-s /usr/sbin/lquerypv Note that this action will cause some Logical Volume Manager commands to fail when they are executed by non-"root" users (such as "lsps"). It will not affect the operation of these commands when they are executed by "root". B. Official fix The following Automated Program Analysis Reports (APARs) for IBM AIX are now available to address this problem: AIX 3.2.x --------- Not vulnerable; no fix necessary. AIX 4.1.x --------- APAR - IX64203 To determine if you have this APAR on your system, run the following command: instfix -ik IX64203 Or, run this command: lslpp -h bos.rte.lvm and verify that your version of bos.rte.lvm is 4.1.5.3 or later. AIX 4.2.x --------- APAR - IX64204 To determine if you have this APAR on your system, run the following command: instfix -ik IX64204 Or, run this command: lslpp -h bos.rte.lvm and verify that your version of bos.rte.lvm is 4.2.0.7 or later. IBM AIX APARs may be ordered using Electronic Fix Distribution (via the FixDist program), or from the IBM Support Center. For more information on FixDist, and to obtain fixes via the Internet, please reference http://service.software.ibm.com/aixsupport/ or send electronic mail to "aixserv@austin.ibm.com" with the word "FixDist" in the "Subject:" line. V. Acknowledgements IBM-ERS would like to thank Andrew Pechenov for bringing this vulnerability to our attention. AIX is a registered trademark of International Business Machines Corporation. Copyright 1996 International Business Machines Corporation. =============================================================================== ============================================================================= CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet is the Dutch network for educational, research and related institutes. CERT-NL is a member of the Forum of Incident Response and Security Teams (FIRST). All CERT-NL material is available under: http://www.surfnet.nl/surfnet/security/cert-nl.html ftp://ftp.surfnet.nl/surfnet/net-security In case of computer or network security problems please contact your local CERT/security-team or CERT-NL (if your institute is NOT a SURFnet customer please address the appropriate (local) CERT/security-team). CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer, i.e. UTC+0100 in winter and UTC+0200 in summer (DST). Email: cert-nl@surfnet.nl Phone: +31 302 305 305 Fax: +31 302 305 329 Snailmail: SURFnet bv Attn. CERT-NL P.O. Box 19035 NL - 3501 DA UTRECHT The Netherlands A 7 * 24 hours phone number is available to SURFnet SSC's and FIRST members on request. ============================================================================== -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: cp850 iQCVAwUBMqSgRWL2fnkJN/jpAQHn4gQAt1SNBWykJu7CMyD4dvwhxk1IJ8LqxNeN r3hDSDj9AwgLfy+C2cMXBErw95nFaTo9Zm++F2kxnq0QteffwGcK10KbssYdk84m Qi7aRXdCJvoykDK4YhSv5vGfsx7080ahjlle0hgIhSYZu2YUXEO0wHePZ+Nd0Lcg ry5cjwyuSOg= =L4Lu -----END PGP SIGNATURE-----