Multiple vulnerabilities have been reported in IBM AIX, which can be exploited by malicious, local users to gain escalated privileges.

1) A boundary error within the sendrmt function of the bellmail program can be exploited to cause a stack-based buffer overflow and execute arbitrary code with root privileges.

2) A boundary error within the domacro function of the ftp program can be exploited to cause a stack-based buffer overflow and execute arbitrary code with root privileges.

3) A boundary error within the lquerypv utility when handling arguments to the "-V" option can be exploited can be exploited to cause a stack-based buffer overflow and execute arbitrary code with root privileges.

4) A boundary error within the lqueryvg utility when handling arguments to the "-p" option can be exploited can be exploited to cause a stack-based buffer overflow and execute arbitrary code with root privileges.

5) An integer underflow error within the dns_name_fromtext function of the dig program can be exploited to cause a heap corruption and potentially execute arbitrary code with root privileges.

6) A boundary error in the crontab program when handling command-line arguments can be exploited to cause a data segment-based buffer overflow and execute arbitrary code with root privileges.

Vulnerabilities #5 and #6 reportedly only affects version 5.2.

7) An input validation error within the swcons command when handling arguments passed to the "-p" option can be exploited by a user in the "system" group to e.g. create or modify arbitrary system files.

8) A boundary error in the tftp program can be exploited to execute arbitrary code with root privileges.

Solution
Apply interim fixes or APARs as soon as they become available:
Further details available in Customer Area

Provided and/or discovered by
1-2) Joshua J. Drake, VeriSign iDefense Labs
3-4) Sean Larsson, VeriSign iDefense Labs
5) Anonymous researcher, reported via iDefense Labs
6) Anonymous researcher, reported via iDefense Labs
7) Alex DeLarge, reported via iDefense Labs
8) Reported by the vendor.

Changelog
Further details available in Customer Area

Original Advisory
IBM:
http://www14.software.ibm.com/webapp/set2/subscriptions/ijhifoeblist?mode=1&prefsOnOff=null&heading=AIX53&topic=SECURITY&month=200710
http://www14.software.ibm.com/webapp/set2/subscriptions/ijhifoeblist?mode=1&prefsOnOff=null&heading=AIX52&topic=SECURITY&month=200710

iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=617
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=616
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=615
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=614
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=613
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=612
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=611

Deep Links
Links available in Customer Area