[1][USEMAP:frame_r1_c1.gif] [frame_r1_c3.gif] [2]Japanese SNS Advisory [title2_r1_c1.gif] [3][GoIndex.gif] [4][GoBack.gif] 46 [5][GoNext.gif] [6]Japanese Edition SNS Advisory No.46 IBM AIX dtprintinfo Buffer Overflow Vulnerability Problem first discovered: Fri, 05 Oct 2001 Published: Tue, 30 Oct 2001 _________________________________________________________________ Overview: A buffer overflow vulnerability was found in /usr/dt/bin/dtprintinfo program attached to IBM AIX. Local malicious users could execute arbitrary codes with root privileges. Problem Description: dtprintinfo included with IBM AIX is a program for opening the CDE Print Manager window. This program is normally installed as SUID root. "-session" option can be used in dtprintinfo to put client back to its original desktop state by loading session file. If a designated session filename is an unusually long string of characters, dtprintinfo will result in buffer overflow. Properly exploited, a local malicious attacker could execute arbitrary codes with root privileges. Tested OS: IBM AIX 4.3.3 Solution: This security issue was previously reported to IBM Co. IBM released an advisory including an EMERGENCY FIX (efix) on October 29. [7]ftp://aix.software.ibm.com/aix/efixes/security/CDE_libDtSvc_efix .tar.Z Additionally, the Official Fix will be made available soon. Workarounds: The following is a workaround to minimize the impact of this problem. * Remove SUID bit from dtprintinfo. Discovered by: Noboru Yoshinaga (LAC) [8]yosinaga@lac.co.jp ARAI Yuu (LAC) [9]y.arai@lac.co.jp Disclaimer: All information in these advisories are subject to change without any advanced notices neither mutual consensus, and each of them is released as it is. LAC Co.,Ltd. is not responsible for any risks of occurrences caused by applying those information. _________________________________________________________________ Copyright(c) 1995-2002 Little eArth Corporation References 1. LYNXIMGMAP:http://www.lac.co.jp/security/english/snsadv_e/46_e.html#r1_c1Map 2. http://www.lac.co.jp/security/index.html 3. http://www.lac.co.jp/security/english/snsadv_e/index.html 4. http://www.lac.co.jp/security/english/snsadv_e/45_e.html 5. http://www.lac.co.jp/security/english/snsadv_e/47_e.html 6. http://www.lac.co.jp/security/intelligence/SNSAdvisory/46.html 7. ftp://aix.software.ibm.com/aix/efixes/security/CDE_libDtSvc_efix.tar.Z 8. mailto:yosinaga@lac.co.jp 9. mailto:y.arai@lac.co.jp