- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
IBM AIX Multiple Vulnerabilities
------------------------------------------------------------------------
SUMMARY
Multiple vulnerabilities have been discovered in IBM AIX. These
vulnerabilities would allow local exploitation that could lead to elevated
privileges.
DETAILS
Vulnerable Systems:
* IBM AIX version 5.3 (5300-06) - ftp
* IBM AIX version 5.3 (5300-06) and 5.2 - bellmail, lquerypv, lqueryvg
* IBM AIX version 5.2 - dig, crontab, swcons
IBM AIX ftp domacro Parameter Buffer Overflow Vulnerability
The ftp program is a client application for accessing data stored on FTP
servers. This client is responsible for interfacing with users and
speaking the FTP protocol with remote servers. Under AIX, the ftp program
is installed by default and is set-uid root.
Local exploitation of a buffer overflow vulnerability in the ftp client of
IBM Corp.'s AIX operating system allows attackers to execute arbitrary
code with root privileges.
The problem specifically exists within the domacro() function. This
function is called when executing a macro via the '$' command within the
ftp program. When executing a macro, the parameter is copied to a fixed
size stack buffer using an unbounded call to strcpy(). By specifying a
long argument, an attacker is able to overwrite program control data
located on the stack and take control of the affected process.
Vendor response:
IBM Corp. has addressed this vulnerability by releasing interim fixes.
More information can be found via the Bulletins tab of IBM's Subscription
Service for UNIX and Linux servers. You can reach this service by clicking
the URL shown below:
<http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=1>
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=1
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4217>
CVE-2007-4217
IBM AIX bellmail Stack Buffer Overflow Vulnerability
bellmail is a mail user-agent (MUA) and is commonly used for accessing
locally stored electronic mail messages. Under AIX, the bellmail program
is installed by default and is set-uid root.
Local exploitation of a buffer overflow vulnerability in the bellmail
program of IBM Corp.'s AIX operating system allows attackers to execute
arbitrary code with root privileges.
The problem specifically exists within sendrmt function. This function is
called when a user tries to send mail using the "m" command. Within this
function, several sprintf calls are made to concatenate user-supplied
input with static strings. No bounds checking is performed to ensure that
the resulting string will fit in the destination buffer located on the
stack. By supplying a long parameter, an attacker is able to overwrite
program control data located on the stack and take control of the affected
process.
Vendor response:
IBM Corp. has addressed this vulnerability by releasing interim fixes.
More information can be found via the Bulletins tab of IBM's Subscription
Service for UNIX and Linux servers. You can reach this service by clicking
the URL shown below.
<http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=1>
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=1
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4623>
CVE-2007-4623
IBM AIX lquerypv Stack Buffer Overflow Vulnerability
The lquerypv utility is used to examine the properties of a physical
volume in a volume group. It is installed set-uid root by default on
multiple versions of AIX.
Local exploitation of a stack buffer overflow vulnerability in IBM Corp.'s
AIX operating system may allow an attacker to execute arbitrary code with
root privileges.
The vulnerability exists within the parsing of the '-V' command line
option. The argument to this option is copied into a fixed size stack
buffer using the sprintf() function without properly validating the
length. This leads to an exploitable stack buffer overflow.
Vendor response:
IBM Corp. has addressed this vulnerability by releasing interim fixes.
More information can be found via the Bulletins tab of IBM's Subscription
Service for UNIX and Linux servers. You can reach this service by clicking
the URL shown below:
<http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=1>
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=1
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4513>
CVE-2007-4513
IBM AIX lqueryvg Stack Buffer Overflow Vulnerability
The lqueryvg utility is used to examine the properties of disk volume
groups. It is installed set-uid root by default on multiple versions of
AIX.
Local exploitation of a stack buffer overflow vulnerability in IBM Corp.'s
AIX operating system may allow an attacker to execute arbitrary code with
root privileges.
The vulnerability exists within the parsing of the '-p' command line
option. The argument to this option is copied into a fixed size stack
buffer using the sprintf() function without properly validating the
length. This leads to an exploitable stack buffer overflow.
Vendor response:
IBM Corp. has addressed this vulnerability by releasing interim fixes.
More information can be found via the Bulletins tab of IBM's Subscription
Service for UNIX and Linux servers. You can reach this service by clicking
the URL shown below:
<http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=1>
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=1
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4513>
CVE-2007-4513
IBM AIX dig dns_name_fromtext Integer Underflow Vulnerability
dig is a utility that is commonly used for DNS diagnostics. Under AIX 5.2,
the dig program is installed by default and is set-uid root.
Local exploitation of an integer underflow vulnerability in the dig
program of IBM Corp.'s AIX operating system allows attackers to execute
arbitrary code with root privileges.
The problem specifically exists within dns_name_fromtext function within
the libdns.a library. This function is called when processing the '-y'
command line parameter to the dig program. By supplying a specially
crafted TSIG key parameter, an attacker is able to cause an integer
underflow, resulting in potentially exploitable heap corruption.
Vendor response:
IBM Corp. has addressed this vulnerability by releasing interim fixes.
More information can be found via the Bulletins tab of IBM's Subscription
Service for UNIX and Linux servers. You can reach this service by clicking
the URL shown below:
<http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=1>
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=1
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4622>
CVE-2007-4622
IBM AIX 5.2 crontab BSS Buffer Overflow Vulnerability
The crontab program is a user utility that enables users to create,
remove, and edit cron jobs. The cron jobs will then later be executed, on
behalf of the user, at the specified time. Under AIX, the crontab program
is installed by default and is set-uid root.
Local exploitation of a buffer overflow vulnerability in the crontab
program of IBM Corp.'s AIX 5.2 operating system allows attackers to
execute arbitrary code with root privileges.
The problem specifically exists within the main function. While processing
command line arguments, the crontab program will copy a user-supplied
argument to a fixed size BSS (data segment) buffer. Since no bounds
checking is performed, it's possible to overwrite a large portion of the
data stored in the BSS memory area.
Vendor response:
IBM Corp. has addressed this vulnerability by releasing interim fixes.
More information can be found via the Bulletins tab of IBM's Subscription
Service for UNIX and Linux servers. You can reach this service by clicking
the URL shown below.
<http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=1>
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=1
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4621>
CVE-2007-4621
IBM AIX swcons Local Arbitrary File Access Vulnerability
The swcons program is a set-uid root application which is installed by
default on IBM AIX. It allows for console logs to be temporarily logged to
a file or device.
Local exploitation of a file access vulnerability in the swcons command
included in multiple versions of IBM Corp.'s AIX could allow for the
creation or modification of arbitrary files anywhere on the system.
The vulnerability specifically exists due to a lack of sanity checking
when using the -p option. If a user specifies a file with the -p option,
the contents of that file will be overwritten with 65,535 bytes of
uncontrolled data. If the file doesn't exist, it will be created. In both
cases, the file will also be converted to mode 222, which allows all users
on the system to modify it. By specifying a system file, users can cause a
denial of service condition or elevate privileges.
Vendor response:
IBM Corp. has addressed this vulnerability by releasing interim fixes.
More information can be found via the Bulletins tab of IBM's Subscription
Service for UNIX and Linux servers. You can reach this service by clicking
the URL shown below:
<http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=1>
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=1
ADDITIONAL INFORMATION
The information has been provided by iDefense.
The original article can be found at:
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=617>
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=617,
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=616>
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=616,
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=615>
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=615,
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=614>
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=614,
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=613>
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=613,
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=612>
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=612,
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=611>
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=611
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
No comments:
Post a Comment