Fixed local AIX V43 vulnerabilities

2000-12-02T00:00:00
ID SECURITYVULNS:DOC:1008
Type securityvulns
Reporter Securityvulns
Modified 2000-12-02T00:00:00

Description

-----BEGIN PGP SIGNED MESSAGE-----

Just for the record, here are some local AIX vulnerabilities we have found, and which have been fixed by IBM this year. If you have been applying fixes, there should be no problem with these anymore. But it might be interesting to know what some of those massive fixes available on IBM's site actually are correcting.

Release Date: 20001201

System

AIX 4.{3,2}.x

Affected Programs

setuid root                          V43 APARs  V42 APARs
    /usr/bin/setsenv *                IY08812    IY10721
        [ x=$s ]
    /usr/lib/lpd/digest *             IY08143    IY08287
        [ $s x ]
    /usr/sbin/portmir *               IY07832
        [ -t $s -d x ]
    /usr/bin/enq                      IY08143    IY08287
        [ -M $s ]
    /usr/bin/setclock                 IY07831    IY07790
        [ $s ]
    /usr/lib/lpd/pio/etc/pioout       IY12638
        [ PIO{DEVNAME,PTRTYPE}=$s ]

setgid printq
    /usr/lib/lpd/piobe *              IY12638
        [ PIOSTATUSFILE=x PIO{TITLE,VARDIR}=$s ]
    /usr/lib/lpd/pio/etc/piomkapqd *  IY12638
        [ -p $s ]
    /usr/bin/splp                     IY12638
        [ $s ]
                                      [*] Confirmed exploitable.

Description

Exploitable buffer overflows in several setuid and setgid binaries

(libs) allow local users to gain root access. Portmir can also be used to kill other processes as root.

Details

AIX has a world writable system lock directory which allows playing

with hardlinks to kill other processes like cron using portmir. The portmir overflow is trivial to exploit. Note that these are yet additional vulnerabilities to those corrected in 1997.

Gaining access to printq group gives write access to printer subsystem
configuration files and directories which contain other binaries.

Printer subsys programs seem to expect that they are executed by other printer programs with correctly set up environment. There are nicely looking variables such as PIO_IPCWRITEFD. Printq group has also access to run several other suid root binaries from which atleast /usr/lib/lpd/digest is exploitable.

The overflow in digest is a bit more interesting. Our exploit uses two
overflows. The first one overwrites a pointer located after an

overflowed library (?) buffer which overflows another buffer on the stack afterwards. By that time digest has "dropped" its privileges, but the saved uid is still zero.

Enq was not examined at all. Buffer overflows in setclock and splp

happen in main(), so atleast argv and env pointers can be overwritten, but seems like no interesting data can be accessed. Pioout dies due to never-ending strcpy() of the stored PIODEVNAME environment variable on the heap.

That does not mean they are not exploitable, we just did not

investigate them thoroughly because debugging binary only executables on free time with no reason gets boring quite quickly. Or maybe we interpreted the disassembly wrong.

Solution

Fixes have been available at
http://techsupport.services.ibm.com/rs6k/fixes.html for some time.

Notifications of security fixes can be get by sending email to
aixserv@austin.ibm.com with a subject of "subscribe Security_APARs".

Proactive measures such as stripping s[ug]id bits from unused

binaries, limiting access to the rest of them, and possibly applying suid wrappers for command line arguments and environment variables are recommended. IBM's informative web site has other AIX specific security guides.

We have not verified that the fixes are working due to lack of

resources. If someone is willing to give me (EE) access to a new AIX based (super)computer and does not mind occasional system crashes, I might provide a complete report. :-)

Credits & Acknowledgements

Vulnerabilities were found by Esa Etelavuori (http://www.iki.fi/ee/)
and Jouko PynnЖnen (jouko@solutions.fi).

Thanks to Troy Bollinger and others of the AIX security team for swift
responses.

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (DreamOS) Comment: For info see http://www.gnupg.org

iQCVAwUBOicMvVZDrCkIweM9AQGqGwQAmlkFT9qqvPwYSE83/SPctScwqq7Qk6Zj +G8ms7f5BdPvdazAsadH3l31FpaET5sZdYuiUcHEfXAOIbQbT1mJWEnVDaVVbj2p zmCNJXO6CpjC5GtxImV5fE+F8aD9c0lV156ZUasiWyCc1YZt0hzpxl3eUOtJ11qe 8OHs85Hbozk= =Q6S6 -----END PGP SIGNATURE-----