===================================================================== CERT-Renater Note d'Information No. 2007/VULN409 _____________________________________________________________________ DATE : 02/11/2007 HARDWARE PLATFORM(S) : IBM. OPERATING SYSTEM(S) : IBM AIX. ====================================================================== http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=611 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=612 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=613 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=614 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=615 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=616 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=617 ______________________________________________________________________ IBM AIX swcons Local Arbitrary File Access Vulnerability iDefense Security Advisory 10.30.07 http://labs.idefense.com/intelligence/vulnerabilities/ Oct 30, 2007 I. BACKGROUND The swcons program is a set-uid root application which is installed by default on IBM AIX. It allows for console logs to be temporarily logged to a file or device. II. DESCRIPTION Local exploitation of a file access vulnerability in the swcons command included in multiple versions of IBM Corp.'s AIX could allow for the creation or modification of arbitrary files anywhere on the system. The vulnerability specifically exists due to a lack of sanity checking when using the -p option. If a user specifies a file with the -p option, the contents of that file will be overwritten with 65,535 bytes of uncontrolled data. If the file doesn't exist, it will be created. In both cases, the file will also be converted to mode 222, which allows all users on the system to modify it. By specifying a system file, users can cause a denial of service condition or elevate privileges. III. ANALYSIS Exploitation allows attackers to execute arbitrary code with root privileges. The severity of this vulnerability is lessened by the fact that under a default configuration, the group id "system" is needed to execute swcons. IBM originally released an interim fix on February 22nd, 2007. The original fix did prevent attackers from being able to overwrite or change the ownership of existing files, but did not prevent the creation of new files via symlink attacks. IV. DETECTION iDefense has confirmed the existence of this vulnerability on IBM AIX version 5.2. It is suspected that previous versions are also vulnerable. V. WORKAROUND Only allow trusted users local access to security critical systems. Limit access to the "system" group. Alternately, remove the set-uid bit from the swcons program. VI. VENDOR RESPONSE IBM Corp. has addressed this vulnerability by releasing interim fixes. More information can be found via the Bulletins tab of IBM's Subscription Service for UNIX and Linux servers. You can reach this service by clicking the URL shown below. http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=1 VII. CVE INFORMATION A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned yet. VIII. DISCLOSURE TIMELINE 12/21/2004 Initial vendor notification 01/07/2005 Initial vendor response 10/30/2007 Coordinated public disclosure IX. CREDIT This vulnerability was reported to iDefense by Alex DeLarge. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2007 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ============================================================================= IBM AIX 5.2 crontab BSS Buffer Overflow Vulnerability iDefense Security Advisory 10.30.07 http://labs.idefense.com/intelligence/vulnerabilities/ Oct 30, 2007 I. BACKGROUND The crontab program is a user utility that enables users to create, remove, and edit cron jobs. The cron jobs will then later be executed, on behalf of the user, at the specified time. Under AIX, the crontab program is installed by default and is set-uid root. More information can be found at the URL shown. http://publib.boulder.ibm.com/infocenter/pseries/v5r3/topic/com.ibm.aix.cmds/doc/aixcmds1/crontab.htm II. DESCRIPTION Local exploitation of a buffer overflow vulnerability in the crontab program of IBM Corp.'s AIX 5.2 operating system allows attackers to execute arbitrary code with root privileges. The problem specifically exists within the main function. While processing command line arguments, the crontab program will copy a user-supplied argument to a fixed size BSS (data segment) buffer. Since no bounds checking is performed, it's possible to overwrite a large portion of the data stored in the BSS memory area. III. ANALYSIS Exploitation allows an attacker to execute arbitrary code with root privileges. Local access is required to execute the crontab program. IV. DETECTION iDefense has confirmed the existence of this vulnerability within AIX version 5.2. Previous versions are suspected to be vulnerable. AIX 5.3 does not appear to be vulnerable. V. WORKAROUND Removing the set-uid bit from the crontab program will protect against exploitation. However, doing so will render the program unusable. VI. VENDOR RESPONSE IBM Corp. has addressed this vulnerability by releasing interim fixes. More information can be found via the Bulletins tab of IBM's Subscription Service for UNIX and Linux servers. You can reach this service by clicking the URL shown below. http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=1 VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2007-4621 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 08/29/2007 Initial vendor notification 09/12/2007 Initial vendor response 10/30/2007 Coordinated public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2007 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ============================================================================= IBM AIX dig dns_name_fromtext Integer Underflow Vulnerability iDefense Security Advisory 10.30.07 http://labs.idefense.com/intelligence/vulnerabilities/ Oct 30, 2007 I. BACKGROUND dig is a utility that is commonly used for DNS diagnostics. Under AIX 5.2, the dig program is installed by default and is set-uid root. More information can be found at the URL shown. http://publib.boulder.ibm.com/infocenter/pseries/v5r3/topic/com.ibm.aix.cmds/doc/aixcmds2/dig.htm II. DESCRIPTION Local exploitation of an integer underflow vulnerability in the dig program of IBM Corp.'s AIX operating system allows attackers to execute arbitrary code with root privileges. The problem specifically exists within dns_name_fromtext function within the libdns.a library. This function is called when processing the '-y' command line parameter to the dig program. By supplying a specially crafted TSIG key parameter, an attacker is able to cause an integer underflow, resulting in potentially exploitable heap corruption. III. ANALYSIS Exploitation allows an attacker to execute arbitrary code with root privileges. Local access is required to execute the dig program. It should be noted that this particular issue is documented within the bind release notes as bug #1211 and #1350. However, this particular vulnerability is specific to AIX 5.2 since it installs the dig program set-uid root. IV. DETECTION iDefense has confirmed the existence of this vulnerability within AIX version 5.2. Previous versions are suspected to be vulnerable. AIX 5.3 is not vulnerable since the dig command is no longer installed set-uid root. V. WORKAROUND Removing the set-uid bit from the dig program will prevent exploitation. VI. VENDOR RESPONSE IBM Corp. has addressed this vulnerability by releasing interim fixes. More information can be found via the Bulletins tab of IBM's Subscription Service for UNIX and Linux servers. You can reach this service by clicking the URL shown below. http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=1 VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2007-4622 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 08/30/2007 Initial vendor notification 09/14/2007 Initial vendor response 10/30/2007 Coordinated public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2007 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ============================================================================= IBM AIX lqueryvg Stack Buffer Overflow Vulnerability iDefense Security Advisory 10.30.07 http://labs.idefense.com/intelligence/vulnerabilities/ Oct 30, 2007 I. BACKGROUND The lqueryvg utility is used to examine the properties of disk volume groups. It is installed set-uid root by default on multiple versions of AIX. II. DESCRIPTION Local exploitation of a stack buffer overflow vulnerability in IBM Corp.'s AIX operating system may allow an attacker to execute arbitrary code with root privileges. The vulnerability exists within the parsing of the '-p' command line option. The argument to this option is copied into a fixed size stack buffer using the sprintf() function without properly validating the length. This leads to an exploitable stack buffer overflow. III. ANALYSIS Exploitation of this vulnerability results in the execution of arbitrary code with root privileges. The binary may be executed by any user with a local account, no special group membership is needed. IV. DETECTION iDefense has confirmed the existence of this vulnerability in AIX version 5.2 and 5.3. Previous versions may also be affected. V. WORKAROUND Removing the set-uid bit from the binary will prevent exploitation, but may make the program unusable by non-root users. VI. VENDOR RESPONSE IBM Corp. has addressed this vulnerability by releasing interim fixes. More information can be found via the Bulletins tab of IBM's Subscription Service for UNIX and Linux servers. You can reach this service by clicking the URL shown below. http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=1 VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2007-4513 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 08/21/2007 Initial vendor notification 08/22/2007 Initial vendor response 10/30/2007 Coordinated public disclosure IX. CREDIT This vulnerability was discovered by Sean Larsson of VeriSign iDefense Labs. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2007 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ============================================================================= IBM AIX lquerypv Stack Buffer Overflow Vulnerability iDefense Security Advisory 10.30.07 http://labs.idefense.com/intelligence/vulnerabilities/ Oct 30, 2007 I. BACKGROUND The lquerypv utility is used to examine the properties of a physical volume in a volume group. It is installed set-uid root by default on multiple versions of AIX. II. DESCRIPTION Local exploitation of a stack buffer overflow vulnerability in IBM Corp.'s AIX operating system may allow an attacker to execute arbitrary code with root privileges. The vulnerability exists within the parsing of the '-V' command line option. The argument to this option is copied into a fixed size stack buffer using the sprintf() function without properly validating the length. This leads to an exploitable stack buffer overflow. III. ANALYSIS Exploitation of this vulnerability results in the execution of arbitrary code with root privileges. The binary may be executed by any user with a local account, no special group membership is needed. IV. DETECTION iDefense has confirmed the existence of this vulnerability in AIX version 5.2 and 5.3. Previous versions may also be affected. V. WORKAROUND Removing the set-uid bit from the binary will prevent exploitation, but may make the program unusable by non-root users. VI. VENDOR RESPONSE IBM Corp. has addressed this vulnerability by releasing interim fixes. More information can be found via the Bulletins tab of IBM's Subscription Service for UNIX and Linux servers. You can reach this service by clicking the URL shown below. http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=1 VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2007-4513 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 08/21/2007 Initial vendor notification 08/22/2007 Initial vendor response 10/30/2007 Coordinated public disclosure IX. CREDIT This vulnerability was discovered by Sean Larsson of VeriSign iDefense Labs. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2007 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ============================================================================= IBM AIX ftp domacro Parameter Buffer Overflow Vulnerability iDefense Security Advisory 10.30.07 http://labs.idefense.com/intelligence/vulnerabilities/ Oct 30, 2007 I. BACKGROUND The ftp program is a client application for accessing data stored on FTP servers. This client is responsible for interfacing with users and speaking the FTP protocol with remote servers. Under AIX, the ftp program is installed by default and is set-uid root. More information can be found at the URL shown below. http://publib.boulder.ibm.com/infocenter/pseries/v5r3/topic/com.ibm.aix.cmds/doc/aixcmds2/ftp.htm II. DESCRIPTION Local exploitation of a buffer overflow vulnerability in the ftp client of IBM Corp.'s AIX operating system allows attackers to execute arbitrary code with root privileges. The problem specifically exists within the domacro() function. This function is called when executing a macro via the '$' command within the ftp program. When executing a macro, the parameter is copied to a fixed size stack buffer using an unbounded call to strcpy(). By specifying a long argument, an attacker is able to overwrite program control data located on the stack and take control of the affected process. III. ANALYSIS Exploitation allows an attacker to execute arbitrary code with root privileges. Local access is required to execute and interact with the ftp program. IV. DETECTION iDefense has confirmed the existence of this vulnerability in AIX version 5.3 (5300-06). Previous versions are suspected to be vulnerable. V. WORKAROUND Removing the set-uid bit from the ftp program will protect against exploitation. However, doing so will render the program unusable. VI. VENDOR RESPONSE IBM Corp. has addressed this vulnerability by releasing interim fixes. More information can be found via the Bulletins tab of IBM's Subscription Service for UNIX and Linux servers. You can reach this service by clicking the URL shown below. http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=1 VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2007-4217 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 08/15/2007 Initial vendor notification 08/15/2007 Initial vendor response 10/30/2007 Coordinated public disclosure IX. CREDIT This vulnerability was discovered by Joshua J. Drake of VeriSign iDefense Labs. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2007 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ============================================================================= IBM AIX bellmail Stack Buffer Overflow Vulnerability iDefense Security Advisory 10.30.07 http://labs.idefense.com/intelligence/vulnerabilities/ Oct 30, 2007 I. BACKGROUND bellmail is a mail user-agent (MUA) and is commonly used for accessing locally stored electronic mail messages. Under AIX, the bellmail program is installed by default and is set-uid root. More information can be found at the URL shown. http://publib.boulder.ibm.com/infocenter/pseries/v5r3/topic/com.ibm.aix.commadmn/doc/commadmndita/mail_bellmail.htm II. DESCRIPTION Local exploitation of a buffer overflow vulnerability in the bellmail program of IBM Corp.'s AIX operating system allows attackers to execute arbitrary code with root privileges. The problem specifically exists within sendrmt function. This function is called when a user tries to send mail using the "m" command. Within this function, several sprintf calls are made to concatenate user-supplied input with static strings. No bounds checking is performed to ensure that the resulting string will fit in the destination buffer located on the stack. By supplying a long parameter, an attacker is able to overwrite program control data located on the stack and take control of the affected process. III. ANALYSIS Exploitation allows an attacker to execute arbitrary code with root privileges. Local access is required to execute and interact with the bellmail program. It should be noted that the bellmail program does initially set its user (both saved and effective) to that of the calling user. Generally, it would be sufficient to drop these privileges. However, in this case, the bellmail program uses the AIX-specific setpriv functionality to retain the ability chown arbitrary files on the system. IV. DETECTION iDefense has confirmed the existence of this vulnerability within AIX version 5.3 (5300-06) and 5.2. Previous versions are suspected to be vulnerable. V. WORKAROUND Removing the set-uid bit from the bellmail program will protect against exploitation. However, doing so will render the program unusable. VI. VENDOR RESPONSE IBM Corp. has addressed this vulnerability by releasing interim fixes. More information can be found via the Bulletins tab of IBM's Subscription Service for UNIX and Linux servers. You can reach this service by clicking the URL shown below. http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=1 VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2007-4623 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 08/28/2007 Initial vendor notification 08/28/2007 Initial vendor response 10/30/2007 Coordinated public disclosure IX. CREDIT This vulnerability was discovered by Joshua J. Drake of VeriSign iDefense Labs. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2007 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================