|
Brought to you by:
Suppliers of:
|
|
|
| |
The auditselect program is "a setuid root application, installed by default under multiple versions of IBM AIX, that selects audit records for analysis according to defined criteria".
Local exploitation of a format string vulnerability in the auditselect command included by default in multiple versions of IBM Corp.'s AIX operating system could allow for arbitrary code execution as the root user. |
| |
Credit:
The information has been provided by iDEFENSE Customer Service.
The original article can be found at: http://www.idefense.com/application/poi/display?id=193&type=vulnerabilities
|
| |
Vulnerable Systems:
* IBM AIX version 5.2
* IBM AIX version 5.3
The vulnerability specifically exists due to an improperly used formatted printing function. When provided with an incorrect argument (argv[1]) that contains a format string, the format string will be fed into a formatted printing function, and the user supplied format string will be evaluated, allowing for a malicious user to examine stack memory and write to arbitrary memory locations. With a properly crafted string, this can lead to the execution of arbitrary code.
Analysis:
This vulnerability can only be exploited by a local user who has been granted access to the "audit" group. Successful exploitation leads to root-level access.
Due to the nature of the vulnerability, information leakage is trivial and aids the attacker in exploitation.
Workaround:
Only allow trusted users local access to security critical systems. Only allow trusted system administrators access to the "audit" group. Alternately, remove the setuid bit from auditselect using chmod u-s /usr/sbin/auditselect.
Vendor Status:
The vendor has not released a patch for this issue, however, the following details have been published:
http://www-1.ibm.com/support/docview.wss?uid=isg1IY67519
Disclosure Timeline:
12/21/2004 - Initial vendor notification
01/07/2005 - Initial vendor response
02/08/2005 - Public disclosure
|
|
|
|
|
