AIX Negative UID Privilege Escalation

1994-10-22T20:59:59
ID OSVDB:18727
Type osvdb
Reporter OSVDB
Modified 1994-10-22T20:59:59

Description

Vulnerability Description

Older AIX releases, and potentially other Unix flavors may contain a flaw related to user ID (UID) processing that allows for privilege escalation. In some cases, various daemons or services fail to properly check the bounds of UIDs resulting in an overflow. With a specially crafted UID, an attacker can assume root privileges regardless of the root UID mapping. For NFS servers, this may be abused to 'wrap' your UID around past 65535, so that the effective UID processed becomes '0' or 'root', resulting in full access to the exported file system.

Solution Description

Upgrade to a current version of the OS, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround(s): do not use UIDs larger than 65535.

Short Description

Older AIX releases, and potentially other Unix flavors may contain a flaw related to user ID (UID) processing that allows for privilege escalation. In some cases, various daemons or services fail to properly check the bounds of UIDs resulting in an overflow. With a specially crafted UID, an attacker can assume root privileges regardless of the root UID mapping. For NFS servers, this may be abused to 'wrap' your UID around past 65535, so that the effective UID processed becomes '0' or 'root', resulting in full access to the exported file system.

References:

Mail List Post: http://archives.neohapsis.com/archives/bugtraq/1994_4/0312.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/1994_4/0317.html Generic Informational URL: http://lists.debian.org/lsb-spec/2000/12/msg00050.html