Wednesday, August 01, 2007

[UNIX] IBM AIX capture Terminal Control Sequence Buffer Overflow Vulnerability

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html


- - - - - - - - -

IBM AIX capture Terminal Control Sequence Buffer Overflow Vulnerability
------------------------------------------------------------------------


SUMMARY

The
<http://publib.boulder.ibm.com/infocenter/pseries/v5r3/topic/com.ibm.aix.cmds/doc/aixcmds1/capture.htm> capture program is a setuid root application, installed by default under multiple versions of IBM AIX, that allows terminal sessions to be dumped to a file.

Local exploitation of a stack-based buffer overflow vulnerability in the
'capture' program included with IBM Corp.'s AIX operating system allows an
attacker to execute arbitrary code with root privileges.

DETAILS

Vulnerable Systems:
* AIX version 5.3 with service pack 6.
* (Previous versions may also be affected).

The vulnerability exists within the code that parses terminal control
sequences. A long series of control sequences will trigger an exploitable
stack-based buffer overflow.

Exploitation of this vulnerability results in the execution of arbitrary
code with root privileges.

The capture program is setuid root, and executable by any user with local
access. The vulnerability is a stack-based buffer overflow, and is
trivially exploitable.

Workaround:
Removing the setuid bit from the binary will prevent exploitation, but may
make the program unusable by non-root users.

IBM Corp. has addressed this vulnerability by releasing interim fixes.
More information can be found via the Bulletins tab of IBM's Subscription
Service for UNIX and Linux servers:
<http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=1>

http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=1

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3333>
CVE-2007-3333

Disclosure Timeline:
* 06/05/2007 - Initial vendor notification
* 06/08/2007 - Initial vendor response
* 07/26/2007 - Coordinated public disclosure


ADDITIONAL INFORMATION

The information has been provided by iDefense.
The original article can be found at:

<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=570>

http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=570

========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

No comments:

Post a Comment