||Home : Advisories : Format string vulnerability in AIX(r) locale subsystem|
||Format string vulnerability in AIX(r) locale subsystem
||30th October 2000
-----BEGIN PGP SIGNED MESSAGE-----
- ---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL
EMERGENCY RESPONSE SERVICE
FOR YOUR INFORMATION
25 OCT 2000 22:40 GMT Number:
THIS IS NOT A SECURITY VULNERABILITY ALERT
IBM-ERS For Your Information (FYI) documents are designed to provide
of the IBM Emergency Response Service with information about current topics
the fields of Internet and virus security. FYI documents will be issued
periodically as the need arises. Topics may include security implications
new protocols in use on the Internet, implementation suggestions for
types of services, virus hype and hoaxes, and answers to frequently asked
Format string vulnerability in AIX(r) locale subsystem.
IV. OBTAINING FIXES
VI. CONTACT INFORMATION
VULNERABILITY: Format string vulnerability in AIX(r) locale subsystem.
PLATFORMS: IBM AIX 3.2.x, 4.1.x, 4.2.x, 4.3.x
SOLUTION: Apply the fixes listed below.
THREAT: Local users can gain root access.
CVE candidate: CAN-2000-0844
AIX allows user specified locale file to be used for displaying
messages. This functionality is provided through the catopen() call.
This call uses the NLSPATH environment variable to specify an alternate
locale file instead of one of the system locale files. By constructing
a valid locale file which contains special format characters and
setting the NLSPATH environment variable to point to its path, a
malicious user can have privileged applications use his locale file to
obtain root privileges.
Any executable with the setuid or setgid bit set is potentially
vulnerable to root compromise.
A. Official fix
IBM is working on the following fix which will be available
AIX 4.3.x: IY13753
NOTE: Fix will not be provided for versions prior to 4.3 as
these are no longer supported by IBM. Affected customers are
urged to upgrade to 4.3, or higher.
B. How to minimize the vulnerability
A temporary fix for AIX 4.3.x systems is available which ignores
the NLSPATH environment variable. Note that pending standards
compliance review, the actual APAR fix may or may not be
implemented the same way. The temporary fix can be downloaded
via ftp from:
The MD5 checksum for the efix libc is:
Filename sum md5
libc.a 12878 6149 f8169a0c985220874c0404b4c69d5f20
This temporary fix has not been fully regression tested. Do the
following steps (as root) to install the temporary fix:
1. Determine the version of the libc fileset on your machine.
# lslpp -l bos.rte.libc
If the version of the libc.a fileset for your machine is not
at the level given below, install the requisite APAR
listed. This will help ensure that the libc fix will run
Release Fileset Version requisite APAR
AIX 4.3.x bos.rte.libc 184.108.40.206 IY12541
2. Uncompress and extract the fix.
a. place the temporary fix in a directory of your choosing, e.g.,
using /tmp as your_dir is a reasonable choice
b. # uncompress < locale_format_efix.tar.Z | tar xf -
The efix libc.a will be extracted to your_dir/locale_format/lib
3. Make sure the new libc.a works on your system.
a. # slibclean
b. # export LIBPATH=your_dir/locale_format/lib
c. # ls your_dir
NOTE: This "ls" is a simple test to make sure the new libc.a works.
If this does *NOT* work (i.e. you get a "killed" message), then do
*NOT* go further...this libc.a does not work on your system.
4. Follow the instructions below to install the new libc.a.
Make a copy of the original libc.a (make sure there is enough
free apace in the filesystem to for you to work with), e.g.,
a. # mkdir /usr/ccs/lib/sv
b. # cp /usr/ccs/lib/libc.a /usr/ccs/lib/sv
Copy the libc.a fix into place, e.g.,
a. # cp -f your_dir/locale_format/lib/libc.a /usr/ccs/lib/
b. # chown bin.bin /usr/ccs/lib/libc.a
c. # chmod 555 /usr/ccs/lib/libc.a
d. # ln -sf /usr/ccs/lib/libc.a /usr/lib/libs.a
e. # unset LIBPATH
f. # slibclean
Make sure that the new libraries will be picked up at
the next reboot.
# bosboot -a
IV. Obtaining Fixes
IBM AIX APARs may be ordered using Electronic Fix Distribution (via the
FixDist program), or from the IBM Support Center. For more information
on FixDist, and to obtain fixes via the Internet, please reference
or send email to "email@example.com" with the word "FixDist" in the
To facilitate ease of ordering all security related APARs for each AIX
release, security fixes are periodically bundled into a cumulative APAR.
For more information on these cumulative APARs including last update and
list of individual fixes, send email to "firstname.lastname@example.org" with
the word "subscribe Security_APARs" in the "Subject:" line.
Thanks to Ivan Arce of CORE-SDI for bringing this vulnerability to
VI. Contact Information
Comments regarding the content of this announcement can be directed to:
To request the PGP public key that can be used to encrypt new AIX
security vulnerabilities, send email to email@example.com
with a subject of "get key".
If you would like to subscribe to the AIX security newsletter, send a
note to firstname.lastname@example.org with a subject of "subscribe Security".
To cancel your subscription, use a subject of "unsubscribe Security".
To see a list of other available subscriptions, use a subject of
IBM and AIX are a registered trademark of International Business
Machines Corporation. All other trademarks are property of their
IBM's Internet Emergency Response Service (IBM-ERS) is a subscription-based
Internet security response service that includes computer security incident
response and management, regular electronic verification of your Internet
gateway(s), and security vulnerability alerts similar to this one that are
tailored to your specific computing environment. IBM's Virus Emergency
Response Service is a subscription-based service that provides assistance
with virus risk and emergency management. By acting as an extension of
own internal security staff, IBM-ERS's team of security experts helps you
quickly detect and respond to attacks and exposures to your I/T
As a part of IBM's Business Continuity Recovery Services organization, the
IBM Emergency Response Service is a component of IBM's SecureWay(tm)
line of security products and services. From hardware to software to
consulting, SecureWay solutions can give you the assurance and expertise
need to protect your valuable business resources. To find out more about
IBM Emergency Response Service, send an electronic mail message to
email@example.com, or call 1-800-426-7378.
IBM-ERS maintains a site on the World Wide Web at http://www.ers.ibm.com/.
Visit the site for information about the service, copies of security
team contact information, and other items.
IBM-ERS uses Pretty Good Privacy* (PGP*) as the digital signature mechanism
security vulnerability alerts and other distributed information. The
PGP* public key is available from
"Pretty Good Privacy" and "PGP" are trademarks of Philip Zimmermann.
IBM-ERS is a Member Team of the Forum of Incident Response and Security
(FIRST), a global organization established to foster cooperation and
coordination among computer security teams worldwide.
Copyright 2000 International Business Machines Corporation.
The information in this document is provided as a service to customers of
the IBM Emergency Response Service. Neither International Business
Corporation, nor any of its employees, makes any warranty, express or
or assumes any legal liability or responsibility for the accuracy,
ness, or usefulness of any information, apparatus, product, or process
contained herein, or represents that its use would not infringe any
owned rights. Reference herein to any specific commercial products,
or service by trade name, trademark, manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation or favoring
by IBM or its subsidiaries. The views and opinions of authors expressed
herein do not necessarily state or reflect those of IBM or its
and may not be used for advertising or product endorsement purposes.
The material in this document may be reproduced and distributed, without
permission, in whole or in part, by other security incident response teams
(both commercial and non-commercial), provided the above copyright is kept
intact and due credit is given to IBM-ERS.
This document may be reproduced and distributed, without permission, in its
entirety only, by any person provided such reproduction and/or distribution
is performed for non-commercial purposes and with the intent of increasing
the awareness of the Internet community.
- ---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----