[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Local AIX 4.{3,2}.x vulnerabilities

Title: Local AIX 4.{3,2}.x vulnerabilities
Released by: Esa Etelavuori and Jouko Pynnö
Date: 1st December 2000
Printable version: Click here

Just for the record, here are some local AIX vulnerabilities we have found,

and which have been fixed by IBM this year. If you have been applying fixes,

there should be no problem with these anymore. But it might be interesting

to know what some of those massive fixes available on IBM's site actually are


Release Date: 20001201


    AIX 4.{3,2}.x

Affected Programs

    setuid root                          V43 APARs  V42 APARs

        /usr/bin/setsenv *                IY08812    IY10721

            [ x=$s ]

        /usr/lib/lpd/digest *             IY08143    IY08287

            [ $s x ]

        /usr/sbin/portmir *               IY07832

            [ -t $s -d x ]

        /usr/bin/enq                      IY08143    IY08287

            [ -M $s ]

        /usr/bin/setclock                 IY07831    IY07790

            [ $s ]

        /usr/lib/lpd/pio/etc/pioout       IY12638

            [ PIO{DEVNAME,PTRTYPE}=$s ]

    setgid printq

        /usr/lib/lpd/piobe *              IY12638


        /usr/lib/lpd/pio/etc/piomkapqd *  IY12638

            [ -p $s ]

        /usr/bin/splp                     IY12638

            [ $s ]

                                          [*] Confirmed exploitable.


    Exploitable buffer overflows in several setuid and setgid binaries (libs)

    allow local users to gain root access. Portmir can also be used to kill

    other processes as root.


    AIX has a world writable system lock directory which allows playing with

    hardlinks to kill other processes like cron using portmir. The portmir

    overflow is trivial to exploit. Note that these are yet additional

    vulnerabilities to those corrected in 1997.

    Gaining access to printq group gives write access to printer subsystem

    configuration files and directories which contain other binaries. Printer

    subsys programs seem to expect that they are executed by other printer

    programs with correctly set up environment. There are nicely looking

    variables such as PIO_IPCWRITEFD. Printq group has also access to run

    several other suid root binaries from which atleast /usr/lib/lpd/digest

    is exploitable.

    The overflow in digest is a bit more interesting. Our exploit uses two

    overflows. The first one overwrites a pointer located after an overflowed

    library (?) buffer which overflows another buffer on the stack afterwards.

    By that time digest has "dropped" its privileges, but the saved uid is

    still zero.

    Enq was not examined at all. Buffer overflows in setclock and splp happen

    in main(), so atleast argv and env pointers can be overwritten, but seems

    like no interesting data can be accessed. Pioout dies due to never-ending

    strcpy() of the stored PIODEVNAME environment variable on the heap.

    That does not mean they are not exploitable, we just did not investigate

    them thoroughly because debugging binary only executables on free time

    with no reason gets boring quite quickly. Or maybe we interpreted the

    disassembly wrong.


    Fixes have been available at

    http://techsupport.services.ibm.com/rs6k/fixes.html for some time.

    Notifications of security fixes can be get by sending email to

    aixserv@austin.ibm.com with a subject of "subscribe Security_APARs".

    Proactive measures such as stripping s[ug]id bits from unused binaries,

    limiting access to the rest of them, and possibly applying suid wrappers

    for command line arguments and environment variables are recommended.

    IBM's informative web site has other AIX specific security guides.

    We have not verified that the fixes are working due to lack of resources.

    If someone is willing to give me (EE) access to a new AIX based

    (super)computer and does not mind occasional system crashes, I might

    provide a complete report. :-)

Credits & Acknowledgements

    Vulnerabilities were found by Esa Etelavuori (http://www.iki.fi/ee/)

    and Jouko Pynnönen (jouko@solutions.fi).

    Thanks to Troy Bollinger and others of the AIX security team for swift



Version: GnuPG v1.0.4 (DreamOS)

Comment: For info see http://www.gnupg.org







(C) 1999-2000 All rights reserved.