IBM AIX Multiple Privilege Escalation Vulnerabilities - Secunia Advisories - Vulnerability Intelligence

IBM AIX Multiple Privilege Escalation Vulnerabilities
Secunia Advisory:	SA26219	Advisory Toolbox: Issue ticket Save in to-do list Mark as handled Exploit information Download as PDF Review actions Add comment
Release Date:	2007-07-27
Last Update:	2007-12-12
Popularity:	7,824 views

Critical:	Less critical
Impact:	Privilege escalation
Where:	Local system
Solution Status:	Vendor Patch

OS:	AIX 5.x

Subscribe:	Instant alerts on relevant vulnerabilities

CVE reference:	CVE-2007-3333 CVE-2007-4003 CVE-2007-4004 CVE-2007-4236 CVE-2007-4237 CVE-2007-4238

Description: Some vulnerabilities have been reported in IBM AIX, which can be exploited by malicious, local users to gain escalated privileges. 1) The vulnerability is caused due to the program loading an arbitrary library. This can be exploited to load an attacker-supplied library and execute arbitrary code with root privileges. 2) A boundary error in the "capture" program can be exploited to cause a stack-based buffer overflow via an overly long, specially crafted series of control sequences. Successful exploitation allows execution of arbitrary code with root privileges. 3) Multiple boundary errors in the "ftp" program can be exploited to cause stack-based buffer overflows and execute arbitrary code with root privileges. 4) A boundary error in the "lpd" command can be exploited to cause a buffer overflow and allow users in the printq group to execute arbitrary code with root privileges. 5) Insecure file permissions on the "pioinit" script can be exploited by users in the bin group to execute arbitrary code with root privileges by replacing the affected script with a malicious one. 6) A boundary error in the "arp" command, which is installed with the devices.common.IBM.atm.rte fileset, can be exploited to cause a buffer overflow and execute arbitrary code with root privileges. The vulnerabilities are reported in versions 5.2.0 and 5.3.0. Solution: Apply interim fixes or APARs as soon as they become available: ftp://aix.software.ibm.com/aix/efixes/security/pioout_ifix.tar.Z ftp://aix.software.ibm.com/aix/efixes/security/capture_ifix.tar.Z ftp://aix.software.ibm.com/aix/efixes/security/ftpgets_ifix.tar.Z ftp://aix.software.ibm.com/aix/efixes/security/lpd_ifix.tar.Z ftp://aix.software.ibm.com/aix/efixes/security/pioinit_ifix.tar.Z ftp://aix.software.ibm.com/aix/efixes/security/atm_ifix.tar.Z AIX 5.2.0: APAR IZ01121 APAR IZ01135 APAR IZ01812 APAR IY98560 APAR IY79785 APAR IZ00521 AIX 5.3.0: APAR IZ01122/IZ00988 APAR IZ01134/IZ02538 APAR IZ01813/IZ01993 APAR IY98339/IY98457 APAR IY79786 APAR IZ01535/IZ00510 Provided and/or discovered by: 1) Discovered by an anonymous person and reported via iDefense Labs. 2) Discovered by an anonymous person and reported via iDefense Labs. 3) Discovered by an anonymous person and reported via iDefense Labs. 4)-6) Reported by the vendor. Changelog: 2007-08-09: Added CVE reference. 2007-09-19: Reversed APARS IZ01134 and IZ01135 in "Solution" section based on additional information from IBM. 2007-12-12: Updated "Solution" section and added additional vendor links. Original Advisory: IBM: ftp://aix.software.ibm.com/aix/efixes/security/README http://www-1.ibm.com/support/docview.wss?uid=isg1IZ01134 http://www-1.ibm.com/support/docview.wss?uid=isg1IZ01135 http://www-1.ibm.com/support/docview.wss?uid=isg1IZ02538 http://www-1.ibm.com/support/docview.wss?uid=isg1IZ01812 http://www-1.ibm.com/support/docview.wss?uid=isg1IZ01813 http://www-1.ibm.com/support/docview.wss?uid=isg1IZ01993 http://www-1.ibm.com/support/docview.wss?uid=isg1IZ00521 http://www-1.ibm.com/support/docview.wss?uid=isg1IZ01121 iDefense Labs: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=569 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=570 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=571

Track this Secunia Advisory
Customers of the Secunia Vulnerability Intelligence solutions will automatically receive updates when new information regarding this advisory is released. Read more about our Vulnerability Intelligence solutions and what they can do for you and your company.

About this Secunia Advisory
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise. Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.

Latest Advisories

1st Dec, 2008

New advisories:	33
New vulnerabilities:	55
Updated advisories:	56

Moderately // 197 views

RakhiSoftware Shopping Cart Multiple Vulnerabilities

Moderately // 201 views

Lito Lite CMS "cid" SQL Injection Vulnerability

Moderately // 208 views

Basic PHP CMS "id" SQL Injection Vulnerability

Less // 417 views

Microsoft Office Communications Server SIP INVITE Denial of Service

Moderately // 212 views

Bluo CMS "id" SQL Injection Vulnerability

Moderately // 229 views

Active eWebquiz "useremail" and "password" SQL Injection Vulnerabilities

Highly // 226 views

Minimal Ablog Multiple Vulnerabilities

Moderately // 221 views

Active Newsletter "email" and "password" SQL Injection Vulnerabilities

Moderately // 220 views

Ocean12 FAQ Manager Pro "ID" SQL Injection Vulnerability

Moderately // 239 views

Active Photo Gallery "username" and "password" SQL Injection

Solutions | More...

Send Feedback to Secunia
If you have new information regarding this Secunia advisory or a product in our database, please send it to us using either our web form or email us at vuln@secunia.com. Ideas, suggestions, and other feedback are most welcome.