[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Format string vulnerability in AIX(r) locale subsystem

Title: Format string vulnerability in AIX(r) locale subsystem
Released by:
Date: 30th October 2000
Printable version: Click here




                           EMERGENCY RESPONSE SERVICE

                              FOR YOUR INFORMATION

25 OCT 2000 22:40 GMT                            Number:




IBM-ERS For Your Information (FYI) documents are designed to provide


of the IBM Emergency Response Service with information about current topics


the fields of Internet and virus security.  FYI documents will be issued

periodically as the need arises.  Topics may include security implications


new protocols in use on the Internet, implementation suggestions for


types of services, virus hype and hoaxes, and answers to frequently asked



                                TODAY'S  TOPIC

              Format string vulnerability in AIX(r) locale subsystem.









                           VULNERABILITY SUMMARY

VULNERABILITY:    Format string vulnerability in AIX(r) locale subsystem.

PLATFORMS:        IBM AIX 3.2.x, 4.1.x, 4.2.x, 4.3.x

SOLUTION:         Apply the fixes listed below.

THREAT:           Local users can gain root access.

CVE candidate:    CAN-2000-0844


                           DETAILED INFORMATION

I.  Description

AIX allows user specified locale file to be used for displaying

messages. This functionality is provided through the catopen() call.

This call uses the NLSPATH environment variable to specify an alternate

locale file instead of one of the system locale files. By constructing

a valid locale file which contains special format characters and

setting the NLSPATH environment variable to point to its path, a

malicious user can have privileged applications use his locale file to

obtain root privileges.

II.  Impact

Any executable with the setuid or setgid bit set is potentially

vulnerable to root compromise.

II.  Solutions

  A.  Official fix

      IBM is working on the following fix which will be available


      AIX 4.3.x:  IY13753

      NOTE: Fix will not be provided for versions prior to 4.3 as

      these are no longer supported by IBM. Affected customers are

      urged to upgrade to 4.3, or higher.

  B.  How to minimize the vulnerability

    A temporary fix for AIX 4.3.x systems is available which ignores

    the NLSPATH environment variable.  Note that pending standards

    compliance review, the actual APAR fix may or may not be

    implemented the same way. The temporary fix can be downloaded

    via ftp from:


    The MD5 checksum for the efix libc is:

    Filename        sum             md5


    libc.a          12878  6149     f8169a0c985220874c0404b4c69d5f20

    This temporary fix has not been fully regression tested. Do the

    following steps (as root) to install the temporary fix:

    1.  Determine the version of the libc fileset on your machine.

        # lslpp -l bos.rte.libc

        If the version of the libc.a fileset for your machine is not

        at the level given below, install the requisite APAR

        listed. This will help ensure that the libc fix will run


        Release        Fileset       Version        requisite APAR


        AIX 4.3.x      bos.rte.libc       IY12541

    2. Uncompress and extract the fix.

        a. place the temporary fix in a directory of your choosing, e.g.,


           using /tmp as your_dir is a reasonable choice

        b. # uncompress < locale_format_efix.tar.Z | tar xf -

        The efix libc.a will be extracted to your_dir/locale_format/lib

    3. Make sure the new libc.a works on your system.

        a. # slibclean

        b. # export LIBPATH=your_dir/locale_format/lib

        c. # ls your_dir

        NOTE: This "ls" is a simple test to make sure the new libc.a works.

        If this does *NOT* work (i.e. you get a "killed" message), then do

        *NOT* go further...this libc.a does not work on your system.

    4. Follow the instructions below to install the new libc.a.

        Make a copy of the original libc.a (make sure there is enough

        free apace in the filesystem to for you to work with), e.g.,

          a. # mkdir /usr/ccs/lib/sv

          b. # cp /usr/ccs/lib/libc.a /usr/ccs/lib/sv

        Copy the libc.a fix into place, e.g.,

          a. # cp -f your_dir/locale_format/lib/libc.a /usr/ccs/lib/

          b. # chown bin.bin /usr/ccs/lib/libc.a

          c. # chmod 555 /usr/ccs/lib/libc.a

          d. # ln -sf /usr/ccs/lib/libc.a /usr/lib/libs.a

          e. # unset LIBPATH

          f. # slibclean

        Make sure that the new libraries will be picked up at

        the next reboot.

          # bosboot -a

    4. Reboot.

IV. Obtaining Fixes

IBM AIX APARs may be ordered using Electronic Fix Distribution (via the

FixDist program), or from the IBM Support Center.  For more information

on FixDist, and to obtain fixes via the Internet, please reference


or send email to "aixserv@austin.ibm.com" with the word "FixDist" in the

"Subject:" line.

To facilitate ease of ordering all security related APARs for each AIX

release, security fixes are periodically bundled into a cumulative APAR.

For more information on these cumulative APARs including last update and

list of individual fixes, send email to "aixserv@austin.ibm.com" with

the word "subscribe Security_APARs" in the "Subject:" line.

V.  Acknowledgements

Thanks to Ivan Arce of CORE-SDI for bringing this vulnerability to

our attention.

VI.  Contact Information

Comments regarding the content of this announcement can be directed to:


To request the PGP public key that can be used to encrypt new AIX

security vulnerabilities, send email to security-alert@austin.ibm.com

with a subject of "get key".

If you would like to subscribe to the AIX security newsletter, send a

note to aixserv@austin.ibm.com with a subject of "subscribe Security".

To cancel your subscription, use a subject of "unsubscribe Security".

To see a list of other available subscriptions, use a subject of


IBM and AIX are a registered trademark of International Business

Machines Corporation.  All other trademarks are property of their

respective holders.


IBM's Internet Emergency Response Service (IBM-ERS) is a subscription-based

Internet security response service that includes computer security incident

response and management, regular electronic verification of your Internet

gateway(s), and security vulnerability alerts similar to this one that are

tailored to your specific computing environment.  IBM's Virus Emergency

Response Service is a subscription-based service that provides assistance

with virus risk and emergency management.  By acting as an extension of


own internal security staff, IBM-ERS's team of security experts helps you

quickly detect and respond to attacks and exposures to your I/T


As a part of IBM's Business Continuity Recovery Services organization, the

IBM Emergency Response Service is a component of IBM's SecureWay(tm)

line of security products and services.  From hardware to software to

consulting, SecureWay solutions can give you the assurance and expertise


need to protect your valuable business resources.  To find out more about


IBM Emergency Response Service, send an electronic mail message to

ers-sales@ers.ibm.com, or call 1-800-426-7378.

IBM-ERS maintains a site on the World Wide Web at http://www.ers.ibm.com/.

Visit the site for information about the service, copies of security


team contact information, and other items.

IBM-ERS uses Pretty Good Privacy* (PGP*) as the digital signature mechanism


security vulnerability alerts and other distributed information.  The


PGP* public key is available from


"Pretty Good Privacy" and "PGP" are trademarks of Philip Zimmermann.

IBM-ERS is a Member Team of the Forum of Incident Response and Security


(FIRST), a global organization established to foster cooperation and


coordination among computer security teams worldwide.

Copyright 2000 International Business Machines Corporation.

The information in this document is provided as a service to customers of

the IBM Emergency Response Service.  Neither International Business


Corporation, nor any of its employees, makes any warranty, express or


or assumes any legal liability or responsibility for the accuracy,


ness, or usefulness of any information, apparatus, product, or process

contained herein, or represents that its use would not infringe any


owned rights.  Reference herein to any specific commercial products,


or service by trade name, trademark, manufacturer, or otherwise, does not

necessarily constitute or imply its endorsement, recommendation or favoring

by IBM or its subsidiaries.  The views and opinions of authors expressed

herein do not necessarily state or reflect those of IBM or its


and may not be used for advertising or product endorsement purposes.

The material in this document may be reproduced and distributed, without

permission, in whole or in part, by other security incident response teams

(both commercial and non-commercial), provided the above copyright is kept

intact and due credit is given to IBM-ERS.

This document may be reproduced and distributed, without permission, in its

entirety only, by any person provided such reproduction and/or distribution

is performed for non-commercial purposes and with the intent of increasing

the awareness of the Internet community.




Version: 2.7.1







(C) 1999-2000 All rights reserved.