-----BEGIN PGP SIGNED MESSAGE----- =============================================================================== Security Advisory CERT-NL =============================================================================== Author/Source : Don Stikvoort Index : S-97-77 Distribution : World Page : 1 Classification: External Version: 1 Subject : Five-pack IBM AIX vulnerabilities Date : 31-Oct-97 =============================================================================== By courtesy of IBM ERS we received information on five vulnerabilities in IBM AIX 4.1 and 4.2. Three buffer-overflow vulnerabilities and an nslookup vulnerability, which enable local users to become root; and a piodmgrsu vulnerability which enables local users to gain access to the administrative "printq" group. CERT-NL recommends following below recommendations. (Below IBM information is copyright protected: Copyright 1997 International Business Machines Corporation.) ============================================================================== VULNERABILITY SUMMARY VULNERABILITY: Buffer overflow in the IBM AIX "xdat" command PLATFORMS: IBM AIX(r) 4.1, 4.2 SOLUTION: Remove the setuid bit or apply one of the fixes below THREAT: Local users may become root DETAILED INFORMATION I. Description The "xdat" command shipped with AIX version 4 does not check the length of the "TZ" environment variable. This command was not shipped with AIX 3.2. II. Impact Local users may become root. III. Solutions A. How to alleviate the problem This problem can be alleviated by removing the set-user-id bit from the "xdat" program. To do this, execute the following command as "root": chmod 555 /usr/lpp/X11/bin/xdat B. Official fix IBM is currently working on the following APARs but they are not yet available. AIX 4.1: IX72020 AIX 4.2: IX72021 C. Temporary fixes A temporary fix is available via anonymous ftp from: ftp://testcase.software.ibm.com/aix/fromibm/security.xdat.tar.Z Filename sum md5 ================================================================= xdat 44047 74 33bcec8bbc7d8eb2e4e2ae760d2b986e Use the following steps (as root) to install the temporary fix: 1. Uncompress and extract the fix: # uncompress < security.xdat.tar.Z | tar xf - 2. Use the "xdat_patch.sh" script or the following manual commands: # pgp xdat/xdat.pgp xdat/xdat # cp /usr/lpp/X11/bin/xdat /usr/lpp/X11/bin/xdat.orig # chmod -s /usr/lpp/X11/bin/xdat.orig # cp xdat/xdat /usr/lpp/X11/bin/xdat # chmod 4555 /usr/lpp/X11/bin/xdat This fix has not been fully regression tested but does prevent the TZ environment variable exploit. If the new executable fails to load due to missing symbols, the following APARs may help to resolve the prerequisites: AIX 4.1: IX69580 AIX 4.2: IX69180 IV. Obtaining Fixes IBM AIX APARs may be ordered using Electronic Fix Distribution (via the FixDist program), or from the IBM Support Center. For more information on FixDist, and to obtain fixes via the Internet, please reference http://service.software.ibm.com/aixsupport/ or send electronic mail to "aixserv@austin.ibm.com" with the word "FixDist" in the "Subject:" line. V. Acknowledgements Thanks to Bryan Self for bringing this problem to our attention. ============================================================================== VULNERABILITY SUMMARY VULNERABILITY: Buffer overflows in the libDtSvc.a library PLATFORMS: IBM AIX(r) 4.1, 4.2 SOLUTION: Apply the fixes listed below THREAT: Local users can become root DETAILED INFORMATION I. Description A buffer overflow vulnerability exists in the AIX libDtSvc.a library that can allow local users to become root. There has been an exploit posted to the Bugtraq mailing list. In the course of investigating the libDtSvc.a overflows, fixes were made to the writesrv and rcp commands as well. II. Fixes Abstract 4.1 APAR 4.2 APAR ==================================================================== SECURITY: buffer overflow in dtaction IX69179 IX69180 SECURITY: buffer overflow in writesrv IX69168 IX69169 SECURITY: buffer overflow in /bin/rcp IX69170 IX69171 To determine if you have these APARs on your system, run the following command (double quotes required if more than one APAR is specified): instfix -ivk " [ ...]" Or run the following command (no double quotes): lslpp -h [ ...] Each installed fileset listed in the tables below must be at the indicated version or higher. AIX 4.1 ------- Fileset Version ================================================ X11.Dt.rte 4.1.5.13 X11.Dt.helprun 4.1.5.2 bos.rte.im 4.1.4.2 X11.base.lib 4.1.5.6 X11.Dt.lib 4.1.5.5 X11.motif.lib 4.1.5.4 X11.samples.lib.Core 4.1.5.2 bos.rte.misc_cmds 4.1.5.3 bos.rte.tcp.client 4.1.5.11 AIX 4.2 ------- Fileset Version ================================================ X11.Dt.rte 4.2.1.5 X11.Dt.helprun 4.2.1.1 bos.rte.im 4.2.1.1 X11.vsm.rte 4.2.1.3 X11.motif.lib 4.2.1.2 X11.samples.lib.Core 4.2.0.1 bos.rte.misc_cmds 4.2.1.1 bos.net.tcp.client 4.2.1.10 To Order ======== APARs may be ordered using Electronic Fix Distribution (via FixDist) or from the IBM Support Center. For more information on FixDist, reference URL: http://service.software.ibm.com/aixsupport/ or send e-mail to aixserv@austin.ibm.com with a subject of "FixDist". ============================================================================== VULNERABILITY SUMMARY VULNERABILITY: Buffer overflow and insecure log files in the AIX portmir command PLATFORMS: IBM AIX(r) 4.2.1 SOLUTION: Remove the setuid bit from /usr/sbin/portmir THREAT: Local users can become root DETAILED INFORMATION I. Description Several vulnerabilities exist in the portmir command that can allow local users to become root. This command was added in 4.2.1; therefore, 4.1 and 3.2 are not vulnerable. II. Impact Local users can become root. III. Fixes A. How to alleviate the problem Run the following command (as root) to close this vulnerability until APARs can be applied: # chmod u-s /usr/sbin/portmir B. Official fix Apply the following fix to your system: APAR - IX71795 To determine if you have this APAR on your system, run the following command: instfix -ik IX71795 Or run the following command: lslpp -h bos.sysmgt.serv_aid Your version of bos.sysmgt.serv_aid should be 4.2.1.4 or later. C. To Order APARs may be ordered using Electronic Fix Distribution (via FixDist) or from the IBM Support Center. For more information on FixDist, reference URL: http://service.software.ibm.com/aixsupport/ or send e-mail to aixserv@austin.ibm.com with a subject of "FixDist". ============================================================================== VULNERABILITY SUMMARY VULNERABILITY: The AIX piodmgrsu command incorrectly uses privilege PLATFORMS: IBM AIX(r) 4.1, 4.2 SOLUTION: Apply the fixes listed below THREAT: Local users can gain additional privileges DETAILED INFORMATION I. Description The piodmgrsu command was first shipped in AIX 4.1 and performs various operations on the printer backend's alternate ODM database. The command passes an insecure environment to its children allowing local users to gain access to the administrative "printq" group. II. Fixes AIX 4.1 ------- Apply the following fix to your system: APAR - IX71514 To determine if you have this APAR on your system, run the following command: instfix -ik IX71514 Or run the following command: lslpp -h printers.rte Your version of printers.rte should be 4.1.5.4 or later. AIX 4.2 ------- Apply the following fix to your system: APAR - IX71517 To determine if you have this APAR on your system, run the following command: instfix -ik IX71517 Or run the following command: lslpp -h printers.rte Your version of printers.rte should be 4.2.1.2 or later. To Order -------- APARs may be ordered using Electronic Fix Distribution (via FixDist) or from the IBM Support Center. For more information on FixDist, reference URL: http://service.software.ibm.com/aixsupport/ or send e-mail to aixserv@austin.ibm.com with a subject of "FixDist". ============================================================================== VULNERABILITY SUMMARY VULNERABILITY: The AIX "nslookup" command does not drop privileges correctly PLATFORMS: IBM AIX(r) 4.1, 4.2 SOLUTION: Apply the fixes listed below THREAT: Local users can become root DETAILED INFORMATION I. Description The nslookup command has a vulnerability that allows local users to become root. II. Solutions A. How to alleviate the problem This problem can be alleviated by removing the set-user-id bit from the "nslookup" program. To do this, execute the following command as "root": chmod 555 /usr/bin/nslookup Removing the set-user-id bit will not result in lost functionality unless /etc/resolv.conf exists and is not world-readable. B. Official fix AIX 4.1 ------- Apply the following fix to your system: APAR - IX71464 To determine if you have this APAR on your system, run the following command: instfix -ik IX71464 Or run the following command: lslpp -h bos.net.tcp.client Your version of bos.net.tcp.client should be 4.1.5.14 or later. AIX 4.2 ------- Apply the following fix to your system: APAR - IX70815 To determine if you have this APAR on your system, run the following command: instfix -ik IX70815 Or run the following command: lslpp -h bos.net.tcp.client Your version of bos.net.tcp.client should be 4.2.1.10 or later. To Order -------- APARs may be ordered using Electronic Fix Distribution (via FixDist) or from the IBM Support Center. For more information on FixDist, reference URL: http://service.software.ibm.com/aixsupport/ or send e-mail to aixserv@austin.ibm.com with a subject of "FixDist". ============================================================================== ============================================================================== CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet is the Dutch network for educational, research and related institutes. CERT-NL is a member of the Forum of Incident Response and Security Teams (FIRST). All CERT-NL material is available under: http://www.surfnet.nl/surfnet/security/cert-nl.html ftp://ftp.surfnet.nl/surfnet/net-security In case of computer or network security problems please contact your local CERT/security-team or CERT-NL (if your institute is NOT a SURFnet customer please address the appropriate (local) CERT/security-team). CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer, i.e. UTC+0100 in winter and UTC+0200 in summer (DST). Email: cert-nl@surfnet.nl ATTENDED REGULARLY ALL DAYS Phone: +31 302 305 305 BUSINESS HOURS ONLY Fax: +31 302 305 329 BUSINESS HOURS ONLY Snailmail: SURFnet bv Attn. CERT-NL P.O. Box 19035 NL - 3501 DA UTRECHT The Netherlands NOODGEVALLEN: 06 52 87 92 82 ALTIJD BEREIKBAAR EMERGENCIES : +31 6 52 87 92 82 ATTENDED AT ALL TIMES CERT-NL'S EMERGENCY PHONENUMBER IS ONLY TO BE USED IN CASE OF EMERGENCIES: THE SURFNET HELPDESK OPERATING THE EMERGENCY NUMBER HAS A *FIXED* PROCEDURE FOR DEALING WITH YOUR ALERT AND WILL IN REGULAR CASES RELAY IT TO CERT-NL IN AN APPROPRIATE MANNER. CERT-NL WILL THEN CONTACT YOU. ============================================================================== -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: cp850 iQCVAwUBNFskPkU5nQkWIq1FAQEwigP/UPDmkJZYRVe1ewL0mtuDoLxxhv09pkpO CPVolrKV+oxA5K7mnWnMdgc562s80qG21t5d+OVm95B6OB2R+SFoirOO3qDu35ft AqnOeZcYT3z3l2jxd/PiENWCuM34G1m1lH2yqQ0fKLJv+1QTtqKMHz6evZC0UPpa oG9CKN2NzL4= =yFt9 -----END PGP SIGNATURE-----