Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
IBM AIX Operating System 'errpt' Command Buffer Overflow Can Give Root Privileges to Local Users
|
|
SecurityTracker Alert ID: 1005327 |
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Oct 1 2002
|
Impact: Execution of arbitrary code via local system, Root access via local system
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): AIX 4.3.x and 5.1.0
|
Description: A buffer overflow vulnerability was reported in the IBM AIX operating system 'errpt' command. A local user could obtain root privileges.
IBM reported that the 'errpt' error reporting command contains a buffer overflow that could allow a local user to execute arbitrary code and spawn a shell with root privileges. No further details were provided.
|
Impact: A local user can obtain root privileges on the system.
|
Solution: The vendor has released fixes:
APAR number for AIX 4.3.3: IY34018 (available approx 10/16/02)
APAR number for AIX 5.1.0:
IY31320 (available approx 09/15/02)
Also, a temporary fix is available at:
ftp://aix.software.ibm.com/aix/efixes/security/errpt_efix.tar.Z
The
efix compressed tarball contains two fixes: one for AIX 4.3.3 and one for AIX 5.1.0. It also includes this Advisory. The two fix
files are "errpt.433" for 4.3.3 and "errpt.510" for 5.1.0.
Verify you have retrieved this efix intact:
There are 2 fix-files
in this package for the 4.3.3 and 5.1.0 releases. The checksums below were generated using the "sum" and "md5" commands and are
as follows:
Filename sum md5
errpt.433 15354 113 27bc6fbd51699d56ee2bfc52d6f5121d
errpt.510
31973 125 f55a80bc8cd9fa369a830db3fe4122f8
These sums should match exactly; if they do not, double check the command
results and the download site address. If those are OK, contact IBM AIX Security at security-alert@austin.ibm.com and describe the
discrepancy.
IMPORTANT: If possible, it is recommended that a mksysb backup of the system is created. Verify it is both bootable,
and readable before proceeding.
These temporary fixes have not been fully regression tested; thus, IBM does not warrant the fully
correct functioning of the efix. Customers install the efix and operate the modified version of AIX at their own risk.
For installation
instructions for the temporary efixes, see the Source Message.
|
Vendor URL: www.ibm.com/ (Links to External Site)
|
Cause: Boundary error
|
Underlying OS: UNIX (AIX)
|
Underlying OS: UNIX (AIX)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Tue, 01 Oct 2002 10:36:14 -0400
Subject: Buffer overflow vulnerability in errpt command
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -----BEGIN PGP SIGNED MESSAGE-----
IBM SECURITY ADVISORY
First Issued: Fri Sep 27 15:53:22 CDT 2002
===========================================================================
VULNERABILITY SUMMARY
VULNERABILITY: Buffer overflow vulnerability in errpt command.
PLATFORMS: IBM AIX 4.3.x and 5.1.0
SOLUTION: Apply the emergency-fixes described below, or
employ the workaround, also described below.
THREAT: Malicious user could obtain root privileges.
CERT Advisory: None.
===========================================================================
DETAILED INFORMATION
I. Description
AIX is shipped with the errpt command which allows the user to
generate
an error report from entries in an error log.
It was recently discovered that there exists a buffer overflow
vulnerability in errpt that could allow an attacker to spawn
a shell with root privileges.
II. Impact
A malicious local user can use a well-crafted exploit code
to gain root privileges on the attacked system, compromising the
integrity of the system and its attached local network.
This vulnerability was discovered during an internal code audit and
at this time there are no known exploits.
III. Solutions
A. WORKAROUND
To protect against an exploit before the efix or APAR is applied,
set the permission of errpt to r-xr-xr-x, 555.
B. Official fix
IBM provides the following fixes:
APAR number for AIX 4.3.3: IY34018 (available approx 10/16/02)
APAR number for AIX 5.1.0: IY31320 (available approx 09/15/02)
NOTE: Fix will not be provided for versions prior to 4.3 as
these are no longer supported by IBM. Affected customers are
urged to upgrade to 4.3.3 at the latest maintenance level,
or to 5.1.0.
C. How to minimize the vulnerability
Temporary fixes for AIX 4.3.x and 5.1.0 systems are available.
The temporary fixes can be downloaded via ftp from:
ftp://aix.software.ibm.com/aix/efixes/security/errpt_efix.tar.Z
The efix compressed tarball contains two fixes: one for
AIX 4.3.3 and one for AIX 5.1.0. It also includes this Advisory.
The two fix files are "errpt.433" for 4.3.3 and "errpt.510"
for 5.1.0.
Verify you have retrieved this efix intact:
-------------------------------------------
There are 2 fix-files in this package for the 4.3.3 and 5.1.0
releases.
The checksums below were generated using the "sum" and "md5" commands
and are as follows:
Filename sum md5
=================================================================
errpt.433 15354 113 27bc6fbd51699d56ee2bfc52d6f5121d
errpt.510 31973 125 f55a80bc8cd9fa369a830db3fe4122f8
These sums should match exactly; if they do not, double check the
command results and the download site address. If those are OK,
contact IBM AIX Security at security-alert@austin.ibm.com and
describe
the discrepancy.
IMPORTANT: If possible, it is recommended that a mksysb backup of the
system is created. Verify it is both bootable, and readable before
proceeding.
These temporary fixes have not been fully regression tested; thus,
IBM does not warrant the fully correct functioning of the efix.
Customers install the efix and operate the modified version of AIX
at their own risk.
Efix Installation Instructions:
-------------------------------
You need to be at Maintenance Level 10 for AIX 4.3.3
or Level 2 for AIX 5.1.0
To see if you are at correct maintenance level:
# instfix -i | grep AIX_ML
on one of the lines you should see:
"All filesets for 4330-10_AIX_ML were found."
or
"All filesets for 5100-02_AIX_ML were found."
Detailed installation instructions can be found in the README file
supplied in the efix package. These instructions are summarized
below.
1. Create a temporary efix directory and move to that directory.
# mkdir /tmp/efix
# cd /tmp/efix
2. Uncompress the efix and un-tar the resulting tarfile. Move to the
fix directory.
# uncompress errpt_efix.tar.Z
# tar xvf errpt_efix.tar
3. Move to the "errpt_efix" efix directory.
# cd errpt_efix
4. Rename the patched errpt file appropriate for your system and set
ownership and permissions.
# mv errpt.xxx errpt # where xx is 433 or 510
# chown root.sys errpt
# chmod 4555 errpt
5. Go to the /usr/bin directory and create a backup copy of original
errpt command. Remove all permissions from the backup copy.
# cd /usr/bin
# cp errpt errpt.orig
# chmod 0 errpt.org
6. Remove the original errpt and copy the patched version in its
place. Use the "-p" option to retain ownership and permission
settings from step 4.
# rm errpt
# cp -p /tmp/efix/errpt_efix/errpt errpt
IV. Obtaining Fixes
IBM AIX APARs may be ordered using Electronic Fix Distribution (via the
FixDist program), or from the IBM Support Center. For more information
on FixDist, and to obtain fixes via the Internet, please reference
http://techsupport.services.ibm.com/rs6k/fixes.html
or send email to "aixserv@austin.ibm.com" with the word "FixDist" in the
"Subject:" line.
To facilitate ease of ordering all security related APARs for each AIX
release, security fixes are periodically bundled into a cumulative APAR.
For more information on these cumulative APARs including last update and
list of individual fixes, send email to "aixserv@austin.ibm.com" with
the word "subscribe Security_APARs" in the "Subject:" line.
V. Contact Information
Comments regarding the content of this announcement can be directed to:
security-alert@austin.ibm.com
To request the PGP public key that can be used to encrypt new AIX
security vulnerabilities, send email to security-alert@austin.ibm.com
with a subject of "get key".
If you would like to subscribe to the AIX security newsletter, send a
note to aixserv@austin.ibm.com with a subject of "subscribe Security".
To cancel your subscription, use a subject of "unsubscribe Security".
To see a list of other available subscriptions, use a subject of
"help".
IBM and AIX are a registered trademark of International Business
Machines Corporation. All other trademarks are property of their
respective holders.
- -----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
iQCVAwUBPZh4+QsPbaL1YgqvAQHE+wQAjitS7KVjkc1NnIn6lSPSn4mut6zeMWBn
uDy+PgsGgB6dCdO0isI8fL/XPu/jBIfXouFBY+pGryrjDGoQRarg3ezGArU/ES3w
V0lxKU6kxi5M8B/DUX0A/Cw28pB31W44wgvo/K17czikhpKgF3jq+3nMecX0RKny
dtR6BzIX4uc=
=5x3m
- -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3
iQA/AwUBPZjO3MXrSKQHhgFwEQLVfACfaImosIzJxXUrRPd3OkXQntwptisAoPGO
alr2PVxjPTEU5VUYj9HY/RTl
=3cdg
-----END PGP SIGNATURE-----
|
|
Go to the Top of This SecurityTracker Archive Page
|
