=====================================================================
                                     CERT-Renater

                          Note d'Information No. 2007/VULN035
_____________________________________________________________________

DATE                      : 09/02/2007

HARDWARE PLATFORM(S)      : IBM.

OPERATING SYSTEM(S)       : AIX 5.2 and AIX 5.3

======================================================================

IBM SECURITY ADVISORY


First Issued: Wed Feb  7 16:05:27 CST 2007
==========================================================================
                            VULNERABILITY SUMMARY

VULNERABILITY:      A buffer overflow vulnerability exists in various
                     r-commands.

PLATFORMS:          AIX 5.2 and 5.3.

SOLUTION:           Apply the APAR, interim fix or workaround as
                     described below.

THREAT:             A local user may gain privileges.

CERT VU Number:     n/a
CVE Number:         n/a
=========================================================================
                            DETAILED INFORMATION


I.  Description
===============

A buffer overflow vulnerability in various r-commands may allow a local
user to gain root privileges. This vulnerability may be exploited through
the rsh, rcp, rlogin and rdist commands. These commands are used to provide
remote access to a system.


II. Impact
==========

A local user may gain root privileges.


III.  Solutions
===============

A. Official Fix

IBM provides the following fixes:

       APAR number for AIX 5.2.0:  IY94368 (available approx. 03/21/07)
       APAR number for AIX 5.3.0:  IY94301 (available approx. 03/07/07)

NOTE: Affected customers are urged to upgrade to the latest applicable
Technology Level.

The following table shows the vulnerable versions of bos.rte.libc and
bos.adt.prof for the specified AIX Releases.

Release              Lower         Upper
                      Level         Level
===========================================
AIX 5.2              5.2.0.0       5.2.0.98
AIX 5.3              5.3.0.0       5.3.0.54

B. Interim Fix

Interim fixes are available. The interim fixes can be downloaded via ftp
from:

     ftp://aix.software.ibm.com/aix/efixes/security/rcmds_ifix.tar.Z

This is a compressed tarball containing this advisory, interim fix packages
and cleartext PGP signatures for each package.


Verify you have retrieved the fixes intact:
+------------------------------------------
The interim fixes below are named by using the Technology Level
corresponding to the release that the fix applies to.

The checksums below were generated using the "sum" and "md5sum" commands
and are as follows:

The interim fixes below include prerequisite checking. This will enforce
the correct mapping between the fixes and AIX Technology Levels. The
interim fixes replace libc.a which ships as part of bos.rte.libc. When
installing these fixes, it will be necessary to remove other interim fixes
which modify libc.a. These interim fixes also address the buffer overflow
vulnerability in setlocale() addressed in a security advisory released in
August 2006.


Filename                   sum           md5
=========================================================================
IY94368_07.070206.epkg.Z   48092  3157   4e4bf247f1d42056f921efe60f6c98f0
IY94368_08.070206.epkg.Z   65051  3151   56fda7a07bb345f54b5cf0ff3a79f8ff
IY94368_09.070207.epkg.Z   57140  3167   8f1a57712588eefb2efd508faa7bebe4
IY94301_03.070206.epkg.Z   54915  3514   b26abfaa38300b63058e2fab793a3690
IY94301_04.070206.epkg.Z   64611  3524   a9728fb1df18403104786321f4b09fbc
IY94301_05.070207.epkg.Z   26724  3567   9269c1839e02dc6dc60c32713eaa1fbc

These sums should match exactly. The PGP signatures in the compressed
tarball and on this advisory can also be used to verify the integrity of
the various files they correspond to. If the sums or signatures cannot be
confirmed, double check the command results and the download site address.
If those are OK, contact IBM AIX Security at security-alert@austin.ibm.com
and describe the discrepancy.

The following table shows the prerequisite fileset level for the fixes
above. These levels correspond to the latest available versions of
bos.rte.libc for a given Technology Level.

Filename                   Fileset
                            Level
============================================
IY94368_07.070206.epkg.Z   5.2.0.78
IY94368_08.070206.epkg.Z   5.2.0.87
IY94368_09.070207.epkg.Z   5.2.0.98
IY94301_03.070206.epkg.Z   5.3.0.32
IY94301_04.070206.epkg.Z   5.3.0.44
IY94301_05.070207.epkg.Z   5.3.0.54

IMPORTANT: If possible, it is recommended that a mksysb backup of the
system is created. Verify it is both bootable, and readable before
proceeding.

These interim fixes have not been fully regression tested; thus, IBM does
not warrant the fully correct functioning of the interim fix. Customers
install the interim fix and operate the modified version of AIX at their
own risk.


Interim Installation Instructions:
+---------------------------------

These packages use the new Interim Fix Management Solution to install and
manage ifixes. More information can be found at:

      http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html

To preview an epkg ifix installation execute the following command:

# emgr -e ipkg_name -p       # where ipkg_name is the name of the
                              # ifix package being previewed.

To install an epkg ifix package, execute the following command:

# emgr -e ipkg_name -X       # where ipkg_name is the name of the
                              # ifix package being installed.

The "X" flag will expand any filesystems if required.

C. Workaround

Remove the setuid bit from the rsh, rcp, rlogin and rdist commands. This
can be done as follows:

# chmod u-s <filename>

Note that this may prevent these commands from functioning normally for
non-root users.


IV. Obtaining Fixes
===================

AIX Version 5 APARs can be downloaded from:

      http://www.ibm.com/servers/eserver/support/unixservers/aixfixes.html

Security related Interim Fixes can be downloaded from:

      ftp://aix.software.ibm.com/aix/efixes/security


V.  Contact Information
=======================

If you would like to receive AIX Security Advisories via email, please
visit:

      http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd

Comments regarding the content of this announcement can be directed to:

      security-alert@austin.ibm.com

To request the PGP public key that can be used to communicate securely
with the AIX Security Team send email to security-alert@austin.ibm.com
with a subject of "get key". The key can also be downloaded from a PGP
Public Key Server. The key id is 0x1B14F299.

Please contact your local IBM AIX support center for any assistance.

eServer is a trademark of International Business Machines Corporation.
IBM, AIX and pSeries are registered trademarks of International Business
Machines Corporation. All other trademarks are property of their respective
holders.

======================================================================

            =========================================================
            Les serveurs de référence du CERT-Renater
            http://www.urec.fr/securite
            http://www.cru.fr/securite
            http://www.renater.fr
            =========================================================
            + CERT-RENATER          | tel : 01-53-94-20-44          +
            + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
            + 75013 Paris           | email: certsvp@renater.fr     +
            =========================================================