|
|
|
|
| |
| AIX allows user specified locale file to be used for displaying messages. This functionality is provided through the catopen() call, which uses the NLSPATH environment variable to specify an alternate locale file instead of one of the system locale files. By constructing a valid locale file that contains special format characters and setting the NLSPATH environment variable to point to its path, a malicious user can have privileged applications use his locale file to obtain root privileges. |
| |
Credit:
The information has been provided by IGS ERS Advisory Service/Charlotte/IBM.
|
| |
Impact:
Any executable with the setuid or setgid bit set is potentially vulnerable to root compromise.
Solution:
IBM is working on the following fix which will be available soon:
AIX 4.3.x: IY13753
Note: The fix will not be provided for versions prior to 4.3 as IBM no longer supports these. Affected customers are urged to upgrade to 4.3, or higher.
Workaround:
A temporary fix for AIX 4.3.x systems is available which ignores the NLSPATH environment variable. Note that pending standards compliance review, the actual APAR fix may or may not be implemented the same way. The temporary fix can be downloaded via ftp from:
ftp://aix.software.ibm.com/aix/efixes/security/locale_format_efix.tar.Z
This temporary fix has not been fully regression tested. Do the following steps (as root) to install the temporary fix:
1. Determine the version of the libc file set on your machine.
# lslpp -l bos.rte.libc
If the version of the libc.a fileset for your machine is not at the level given below, install the requisite APAR listed. This will help ensure that the libc fix will run properly.
Release Fileset Version requisite APAR
AIX 4.3.x bos.rte.libc 4.3.3.25 IY12541
2. Uncompress and extract the fix.
a. place the temporary fix in a directory of your choosing, e.g., "your_dir"; using /tmp as your_dir is a reasonable choice
b. # uncompress < locale_format_efix.tar.Z | tar xf -
The efix libc.a will be extracted to your_dir/locale_format/lib
3. Make sure the new libc.a works on your system.
a. # slibclean
b. # export LIBPATH=your_dir/locale_format/lib
c. # ls your_dir
NOTE: This "ls" is a simple test to make sure the new libc.a works. If this does NOT work (i.e. you get a "killed" message), then do NOT go further...this libc.a does not work on your system.
4. Follow the instructions below to install the new libc.a.
Make a copy of the original libc.a (make sure there is enough free apace in the filesystem to for you to work with), e.g.,
a. # mkdir /usr/ccs/lib/sv
b. # cp /usr/ccs/lib/libc.a /usr/ccs/lib/sv
Copy the libc.a fix into place, e.g.,
a. # cp -f your_dir/locale_format/lib/libc.a /usr/ccs/lib/
b. # chown bin.bin /usr/ccs/lib/libc.a
c. # chmod 555 /usr/ccs/lib/libc.a
d. # ln -sf /usr/ccs/lib/libc.a /usr/lib/libs.a
e. # unset LIBPATH
f. # slibclean
Make sure that the new libraries will be picked up at the next reboot.
# bosboot -a
4. Reboot.
Obtaining Fixes:
IBM AIX APARs may be ordered using Electronic Fix Distribution (via the FixDist program), or from the IBM Support Center. For more information on FixDist, and to obtain fixes via the Internet, please reference:
http://techsupport.services.ibm.com/rs6k/fixes.html
Alternatively, send email to "aixserv@austin.ibm.com" with the word "FixDist" in the "Subject:" line.
To facilitate ease of ordering all security related APARs for each AIX release, security fixes are periodically bundled into a cumulative APAR. For more information on these cumulative APARs including last update and list of individual fixes, send email to "aixserv@austin.ibm.com" with the word "subscribe Security_APARs" in the "Subject:" line.
|
|
|
|
|
