|
|
|
|
| |
Credit:
The information has been provided by iDefense.
The original article can be found at: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=617, http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=616, http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=615, http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=614, http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=613, http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=612, http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=611
|
| |
Vulnerable Systems:
* IBM AIX version 5.3 (5300-06) - ftp
* IBM AIX version 5.3 (5300-06) and 5.2 - bellmail, lquerypv, lqueryvg
* IBM AIX version 5.2 - dig, crontab, swcons
IBM AIX ftp domacro Parameter Buffer Overflow Vulnerability
The ftp program is a client application for accessing data stored on FTP servers. This client is responsible for interfacing with users and speaking the FTP protocol with remote servers. Under AIX, the ftp program is installed by default and is set-uid root.
Local exploitation of a buffer overflow vulnerability in the ftp client of IBM Corp.'s AIX operating system allows attackers to execute arbitrary code with root privileges.
The problem specifically exists within the domacro() function. This function is called when executing a macro via the '$' command within the ftp program. When executing a macro, the parameter is copied to a fixed size stack buffer using an unbounded call to strcpy(). By specifying a long argument, an attacker is able to overwrite program control data located on the stack and take control of the affected process.
Vendor response:
IBM Corp. has addressed this vulnerability by releasing interim fixes. More information can be found via the Bulletins tab of IBM's Subscription Service for UNIX and Linux servers. You can reach this service by clicking the URL shown below: http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=1
CVE Information:
CVE-2007-4217
IBM AIX bellmail Stack Buffer Overflow Vulnerability
bellmail is a mail user-agent (MUA) and is commonly used for accessing locally stored electronic mail messages. Under AIX, the bellmail program is installed by default and is set-uid root.
Local exploitation of a buffer overflow vulnerability in the bellmail program of IBM Corp.'s AIX operating system allows attackers to execute arbitrary code with root privileges.
The problem specifically exists within sendrmt function. This function is called when a user tries to send mail using the "m" command. Within this function, several sprintf calls are made to concatenate user-supplied input with static strings. No bounds checking is performed to ensure that the resulting string will fit in the destination buffer located on the stack. By supplying a long parameter, an attacker is able to overwrite program control data located on the stack and take control of the affected process.
Vendor response:
IBM Corp. has addressed this vulnerability by releasing interim fixes. More information can be found via the Bulletins tab of IBM's Subscription Service for UNIX and Linux servers. You can reach this service by clicking the URL shown below. http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=1
CVE Information:
CVE-2007-4623
IBM AIX lquerypv Stack Buffer Overflow Vulnerability
The lquerypv utility is used to examine the properties of a physical volume in a volume group. It is installed set-uid root by default on multiple versions of AIX.
Local exploitation of a stack buffer overflow vulnerability in IBM Corp.'s AIX operating system may allow an attacker to execute arbitrary code with root privileges.
The vulnerability exists within the parsing of the '-V' command line option. The argument to this option is copied into a fixed size stack buffer using the sprintf() function without properly validating the length. This leads to an exploitable stack buffer overflow.
Vendor response:
IBM Corp. has addressed this vulnerability by releasing interim fixes. More information can be found via the Bulletins tab of IBM's Subscription Service for UNIX and Linux servers. You can reach this service by clicking the URL shown below:
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=1
CVE Information:
CVE-2007-4513
IBM AIX lqueryvg Stack Buffer Overflow Vulnerability
The lqueryvg utility is used to examine the properties of disk volume groups. It is installed set-uid root by default on multiple versions of AIX.
Local exploitation of a stack buffer overflow vulnerability in IBM Corp.'s AIX operating system may allow an attacker to execute arbitrary code with root privileges.
The vulnerability exists within the parsing of the '-p' command line option. The argument to this option is copied into a fixed size stack buffer using the sprintf() function without properly validating the length. This leads to an exploitable stack buffer overflow.
Vendor response:
IBM Corp. has addressed this vulnerability by releasing interim fixes. More information can be found via the Bulletins tab of IBM's Subscription Service for UNIX and Linux servers. You can reach this service by clicking the URL shown below: http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=1
CVE Information:
CVE-2007-4513
IBM AIX dig dns_name_fromtext Integer Underflow Vulnerability
dig is a utility that is commonly used for DNS diagnostics. Under AIX 5.2, the dig program is installed by default and is set-uid root.
Local exploitation of an integer underflow vulnerability in the dig program of IBM Corp.'s AIX operating system allows attackers to execute arbitrary code with root privileges.
The problem specifically exists within dns_name_fromtext function within the libdns.a library. This function is called when processing the '-y' command line parameter to the dig program. By supplying a specially crafted TSIG key parameter, an attacker is able to cause an integer underflow, resulting in potentially exploitable heap corruption.
Vendor response:
IBM Corp. has addressed this vulnerability by releasing interim fixes. More information can be found via the Bulletins tab of IBM's Subscription Service for UNIX and Linux servers. You can reach this service by clicking the URL shown below: http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=1
CVE Information:
CVE-2007-4622
IBM AIX 5.2 crontab BSS Buffer Overflow Vulnerability
The crontab program is a user utility that enables users to create, remove, and edit cron jobs. The cron jobs will then later be executed, on behalf of the user, at the specified time. Under AIX, the crontab program is installed by default and is set-uid root.
Local exploitation of a buffer overflow vulnerability in the crontab program of IBM Corp.'s AIX 5.2 operating system allows attackers to execute arbitrary code with root privileges.
The problem specifically exists within the main function. While processing command line arguments, the crontab program will copy a user-supplied argument to a fixed size BSS (data segment) buffer. Since no bounds checking is performed, it's possible to overwrite a large portion of the data stored in the BSS memory area.
Vendor response:
IBM Corp. has addressed this vulnerability by releasing interim fixes. More information can be found via the Bulletins tab of IBM's Subscription Service for UNIX and Linux servers. You can reach this service by clicking the URL shown below. http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=1
CVE Information:
CVE-2007-4621
IBM AIX swcons Local Arbitrary File Access Vulnerability
The swcons program is a set-uid root application which is installed by default on IBM AIX. It allows for console logs to be temporarily logged to a file or device.
Local exploitation of a file access vulnerability in the swcons command included in multiple versions of IBM Corp.'s AIX could allow for the creation or modification of arbitrary files anywhere on the system.
The vulnerability specifically exists due to a lack of sanity checking when using the -p option. If a user specifies a file with the -p option, the contents of that file will be overwritten with 65,535 bytes of uncontrolled data. If the file doesn't exist, it will be created. In both cases, the file will also be converted to mode 222, which allows all users on the system to modify it. By specifying a system file, users can cause a denial of service condition or elevate privileges.
Vendor response:
IBM Corp. has addressed this vulnerability by releasing interim fixes. More information can be found via the Bulletins tab of IBM's Subscription Service for UNIX and Linux servers. You can reach this service by clicking the URL shown below: http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=1
|
|
|
|
|
