IBM AIX libodm ODMPATH Stack Overflow Vulnerability
11 Jul. 2007
Summary
AIX applications "use libodm to access system settings and device configuration data stored in the Object Database Manager. The Manager is responsible for accessing and updating such things as currently installed software packages and devices. Many of the applications that use libodm are installed set-uid root". Local exploitation of a buffer overflow vulnerability in IBM Corp.'s AIX libodm library could allow an attacker to execute arbitrary code on a targeted host.
The vulnerability exists in the processing of the ODMPATH environment variable within the odm_searchpath() function. This function reads the ODMPATH variable from the user provided environment, and then copies it into a fixed sized stack buffer without properly validating its length. This results in a stack-based buffer overflow, and allows the saved return address to be overwritten.
Analysis:
Exploitation allows an attacker to execute code with root privileges.
Since this is a local attack, an attacker has complete control over the process environment and can reliably place shellcode at known addresses. This makes exploitation of this vulnerability trivial.
