Search This Blog

Wednesday, August 01, 2007

[UNIX] IBM AIX pioout Arbitrary Library Loading Vulnerability

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html


- - - - - - - - -

IBM AIX pioout Arbitrary Library Loading Vulnerability
------------------------------------------------------------------------


SUMMARY

The
<http://publib.boulder.ibm.com/infocenter/pseries/v5r3/topic/com.ibm.aix.cmds/doc/aixcmds4/pioout.htm> pioout program is a setuid root application, installed by default under multiple versions of IBM AIX, that is used to interface with the printer driver.

Local exploitation of an arbitrary library loading vulnerability in the
'pioout' program, as included with IBM Corp.'s AIX operating system,
allows an attacker to execute arbitrary code with root privileges.

DETAILS

Vulnerable Systems:
* AIX version 5.3 with service pack 6.
* (Previous versions may also be affected).

Exploitation of this vulnerability results in the execution of arbitrary
code with root privileges.

The pioout program is setuid root, and executable by any user with local
access. To exploit the vulnerability, all an attacker has to do is create
a shared library that executes a shell.

Workaround:
Removing the setuid bit from the binary will prevent exploitation, but may
make the program unusable by non-root users.

Vendor Status:
IBM Corp. has addressed this vulnerability by releasing interim fixes.
More information can be found via the Bulletins tab of IBM's Subscription
Service for UNIX and Linux servers.
<http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=1>

http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=1

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4003>
CVE-2007-4003

Disclosure Timeline:
* 06/05/2007 - Initial vendor notification
* 06/08/2007 - Initial vendor response
* 07/26/2007 - Coordinated public disclosure


ADDITIONAL INFORMATION

The information has been provided by iDefense.
The original article can be found at:

<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=569>

http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=569

========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)