|
 |
|
IBM AIX Multiple Privilege Escalation Vulnerabilities
|
|
|
|
|
Secunia Advisory:
|
SA27437
|
|
|
Release Date:
|
2007-10-31
|
|
Last Update:
|
2007-12-12
|
|
|
Critical:
|
Less critical
|
|
Impact:
|
Privilege escalation
|
|
Where:
|
Local system
|
|
Solution Status:
|
Vendor Patch
|
|
| OS: | AIX 5.x
|
|
| | CVE reference: | CVE-2007-4217 (Secunia mirror)
CVE-2007-4513 (Secunia mirror)
CVE-2007-4621 (Secunia mirror)
CVE-2007-4622 (Secunia mirror)
CVE-2007-4623 (Secunia mirror)
CVE-2007-5804 (Secunia mirror)
CVE-2007-5805 (Secunia mirror)
|
|
|
Want to know the next time vulnerabilities are fixed in this product?
- Companies can be alerted via email and SMS! |
|
|
Description:
Multiple vulnerabilities have been reported in IBM AIX, which can be exploited by malicious, local users to gain escalated privileges.
1) A boundary error within the sendrmt function of the bellmail program can be exploited to cause a stack-based buffer overflow and execute arbitrary code with root privileges.
2) A boundary error within the domacro function of the ftp program can be exploited to cause a stack-based buffer overflow and execute arbitrary code with root privileges.
3) A boundary error within the lquerypv utility when handling arguments to the "-V" option can be exploited can be exploited to cause a stack-based buffer overflow and execute arbitrary code with root privileges.
4) A boundary error within the lqueryvg utility when handling arguments to the "-p" option can be exploited can be exploited to cause a stack-based buffer overflow and execute arbitrary code with root privileges.
5) An integer underflow error within the dns_name_fromtext function of the dig program can be exploited to cause a heap corruption and potentially execute arbitrary code with root privileges.
6) A boundary error in the crontab program when handling command-line arguments can be exploited to cause a data segment-based buffer overflow and execute arbitrary code with root privileges.
Vulnerabilities #5 and #6 reportedly only affects version 5.2.
7) An input validation error within the swcons command when handling arguments passed to the "-p" option can be exploited by a user in the "system" group to e.g. create or modify arbitrary system files.
8) A boundary error in the tftp program can be exploited to execute arbitrary code with root privileges.
Solution:
Apply interim fixes or APARs as soon as they become available:
http://www.ibm.com/servers/eserver/support/unixservers/aixfixes.html
Interim fixes:
ftp://aix.software.ibm.com/aix/efixes/security/bellmail_ifix.tar
ftp://aix.software.ibm.com/aix/efixes/security/ftp_ifix.tar
ftp://aix.software.ibm.com/aix/efixes/security/lquerypv_ifix.tar
ftp://aix.software.ibm.com/aix/efixes/security/lqueryvg_ifix.tar
ftp://aix.software.ibm.com/aix/efixes/security/dig_ifix.tar
ftp://aix.software.ibm.com/aix/efixes/security/crontab_ifix.tar
ftp://aix.software.ibm.com/aix/efixes/security/cfgcon_ifix.tar
ftp://aix.software.ibm.com/aix/efixes/security/tftp_ifix.tar
AIX 5.2.0:
APAR IZ05066
APAR IZ05487
APAR IZ05877
APAR IZ05349
APAR IZ05017
APAR IZ04832
APAR IZ03055
APAR IZ03054
AIX 5.3.0:
APAR IZ05065/IZ05568
APAR IZ05488/IZ06075
APAR IZ05971/IZ06079
APAR IZ05129/IZ05200
APAR IZ03061/IZ02851
APAR IZ03060/IZ03392
APAR IZ05053/IZ06074
Provided and/or discovered by:
1-2) Joshua J. Drake, VeriSign iDefense Labs
3-4) Sean Larsson, VeriSign iDefense Labs
5) Anonymous researcher, reported via iDefense Labs
6) Anonymous researcher, reported via iDefense Labs
7) Alex DeLarge, reported via iDefense Labs
8) Reported by the vendor.
Changelog:
2007-11-07: Added CVE reference.
2007-12-12: Updated "Solution" section. Added APARs for AIX 5.3.0.
Original Advisory:
IBM:
http://www14.software.ibm.com/webapp/...3&topic=SECURITY&month=200710
http://www14.software.ibm.com/webapp/...2&topic=SECURITY&month=200710
iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=617
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=616
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=615
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=614
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=613
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=612
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=611
|
|
|
|
|
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise.
Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.
|
|
|
|
96 Related Secunia Security Advisories, displaying 10
|
|
|
1. IBM AIX DNS Cache Poisoning
|
|
2. IBM AIX update for OpenSSH
|
|
3. IBM AIX ftpd "quote cwd" Full Path Disclosure Weakness
|
|
4. IBM AIX Multiple Vulnerabilities
|
|
5. IBM AIX Multiple Vulnerabilities
|
|
6. IBM AIX "reboot" Buffer Overflow Vulnerability
|
|
7. AIX "man" Insecure Program Execution Vulnerability
|
|
8. IBM AIX libc "inet_network()" Off-By-One Vulnerability
|
|
9. IBM AIX X Server Multiple Vulnerabilities
|
|
10. IBM AIX Pegasus CIM Server for Director Vulnerabilities
|
Show all related advisories
|
|
|
Send Feedback to Secunia
|
|
If you have new information regarding this Secunia advisory or a product in our database, please send it to us using either our web form or email us at vuln@secunia.com.
Ideas, suggestions, and other feedback are most welcome.
|
|
|
|
|
|
Secunia PSI
Scan | Patch | Track
Free Download
|
|
|
Secunia Poll
|
|
|
|
|
 |
|
|
Most Popular Advisories
|
|
|
|
|
|
