[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: IBM AIX: Buffer oveflow vulnerability in CDE DtSvc library
From: "IBM MSS Advisory Service" <advisory () us ! ibm ! com>
Date: 2001-10-30 0:33:40
[Download RAW message or body]
(See attached file: AIX 29Oct 2001 Advisory.txt)
["AIX 29Oct 2001 Advisory.txt" (application/octet-stream)]
-----BEGIN PGP SIGNED MESSAGE-----
IBM SECURITY ADVISORY
Mon Oct 29 09:15:39 CST 2001
===========================================================================
VULNERABILITY SUMMARY
VULNERABILITY: Buffer oveflow vulnerability in CDE DtSvc library
PLATFORMS: IBM AIX 4.3 and 5.1
SOLUTION: Apply the emergency-fixes described below
THREAT: Malicious user can obtain elevated privileges
CERT Advisory: NONE
===========================================================================
DETAILED INFORMATION
I. Description
A buffer overflow vulnerability has been found in the Common Desktop
Environment (CDE) libDtSvc.a library.
The vulnerability is invoked when a user passes a properly coded string to any
of the "dt" commands (e.g., dtprintinfo and dtterm) using the "-session"
option.
II. Impact
A malicious local user can use a well-crafted exploit code to gain elevated,
possibly root, privileges on the attacked system, compromising the integrity of
the system and its attached local network.
The exploitability of this vulnerability has not been studied completely.
Nonetheless, AIX system administrators and security personnel are urged to
apply the emergency patches being made available to preclude a possibly serious
attack.
III. Solutions
A. Official fix
IBM is working on the following fixes which will be available soon:
AIX 5.1: Pending assignment - the README file in the efix download directory
will be updated as soon as the assignment is made.
AIX 4.3: APAR #IY24596
The APARs for AIX 4.3 and 5.1 will not be available until late November 2001.
NOTE: Fix will not be provided for versions prior to 4.3 as these are no longer
supported by IBM. Affected customers are urged to upgrade to 4.3.3 at the
latest maintenance level, or to 5.1.
B. How to minimize the vulnerability
WORKAROUND
None, other than disabling the CDE.
EMERGENCY FIX (efix):
Temporary fixes for AIX 4.3.x and 5.1 systems are available.
The temporary fixes can be downloaded via ftp from:
ftp://aix.software.ibm.com/aix/efixes/security
The name of the efix you want to download to close this vulnerability is
CDE_libDtSvc_efix.tar.Z.
The efix compressed tarball contains a copy of this Advisory and another
tarfile, efix_binaries.tar. This latter tarfile will untar into two binary efix
files, libDtSvc.a_43 and libDtSvc.a_51, for AIX 4.3 and 5.1, respectively. In
addition, there is a detached PGP signature file for efix_binaries.tar. The
proper signature is that of AIX Security <security-alert@austin.ibm.com>.
These temporary fixes have not been fully regression tested; thus,
IBM does not warrant the fully correct functioning of the efix.
Customers install the efix and operate the modified version of AIX
at their own risk.
To proceed with efix installation:
First, verify the MD5 cryptographic hash sum of efix_binaries.tar you obtain
from unpacking the downloaded compressed tarball with that given below. These
should match exactly; if they do not, double check the hash results and the
download site address. If OK, contact IBM AIX Security at
security-alert@austin.ibm.com and describe the discrepancy. Also, for those
who use PGP, another security check for the integrity of the efix binaries
tarfile is the inclusion of a detached PGP signature file,
efix_binaries.tar.asc.
MD5 (efix_binaries.tar) = 31db9713ba5a6a919cc882c7a0525217
IMPORTANT NOTE REGARDING MD5:
"MD5" is "Message Digest #5". MD5 is a 128-bit one-way cryptographic hash
algorithm. It is used to generate a crypto-secure "signature" or "fingerprint"
of a file or a directory and its files. Although not 100% infallible, MD5 is
meant to be used to generate the secure, unique fingerprint of a
file/directory, and also to generate such a fingerprint of a file/directory for
comparison with someone else's MD5 fingerprint of that file/directory. If the
fingerprints match, then the file/directory being examined has not been
modified or replaced with another. Thus, one can be reasonably certain that the
file or fileset is the one originally created by a known, trusted entity, and
passed to the intended person or people.
Source code for MD5 can be obtained at:
ftp://ftp.funet.fi/pub/crypt/hash/mds/md5 Customers should download
md5sum.tar.gz and the Makefile, and then compile to make the executable.
To generate the hash signature of a file or fileset, enter on the command line
the name of the MD5 executable followed by the name of the file/directory of
interest.
Then compare the output hash with that given above.
Finally, the use of MD5, or not using it, does not affect in any way the
installation of the efix. It is meant to be a security measure only.
efix Installation Instructions:
-------------------------------
1. Become root, if not already done.
2. In the /tmp directory, uncompress and untar the efix:
a. uncompress CDE_libDtSvc_efix.tar.Z
b. tar -xvf efix_binaries.tar
You will now have two binary efix files: libDtSvc.a_43 and libDtSvc.a_51, one
for AIX 4.3 and the other for AIX 5.1, respectively. You will also have a
PGP-signed copy of this advisory, named "Advisory". There is also a detached
PGP signature of the efix_binaries.tar file. The signature should be that of
AIX Security <security-alert@austin.ibm.com>.
Keep the binary file containing the patch for your version
of AIX. You may discard the unneeded one if you desire.
Now execute:
cp libDtSvc.a_xy libDtSvc.a /* where "xy" is either "43" or "51" as
appropriate */
3. Follow these instructions:
To install libDtSvc.a :
cd /usr/dt/lib
mv libDtSvc.a libDtSvc.a.orig /* make a backup of your original libDtSvc.a! */
mv /tmp/libDtSvc.a . /* The new libDtSvc.a */
chmod 444 libDtSvc.a
chown bin:bin libDtSvc.a
slibclean
IV. Obtaining Fixes
IBM AIX APARs may be ordered using Electronic Fix Distribution (via the FixDist
program), or from the IBM Support Center. For more information on FixDist, and
to obtain fixes via the Internet, please reference
http://techsupport.services.ibm.com/rs6k/fixes.html
or send email to "aixserv@austin.ibm.com" with the word "FixDist" in the
"Subject:" line.
To facilitate ease of ordering all security related APARs for each AIX release,
security fixes are periodically bundled into a cumulative APAR. For more
information on these cumulative APARs including last update and list of
individual fixes, send email to "aixserv@austin.ibm.com" with the word
"subscribe Security_APARs" in the "Subject:" line.
V. Acknowledgements
Many thanks to Arai Yuu, of the LAC Computer Security Laboratory in Japan for
discovering this vulnerability!
VI. Contact Information
Comments regarding the content of this announcement can be directed to:
security-alert@austin.ibm.com
To request the PGP public key that can be used to encrypt new AIX security
vulnerabilities, send email to security-alert@austin.ibm.com with a subject of
"get key".
If you would like to subscribe to the AIX security newsletter, send a note to
aixserv@austin.ibm.com with a subject of "subscribe Security". To cancel your
subscription, use a subject of "unsubscribe Security". To see a list of other
available subscriptions, use a subject of "help".
IBM and AIX are a registered trademark of International Business Machines
Corporation. All other trademarks are property of their respective holders.
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.2
iQCVAwUBO93MtQsPbaL1YgqvAQHlPQP9Gc61t+CM4lvYG4mLGE1aEp83HodeDZhs
1wedrASQ0v88MNJh+NO2yBbGsZxMwsm0orN1aGfWXY9uvNwJeKUxWczve6b/5Zl/
i4QQcZ5An2cyWjc5tMOK3mv+8LzWrb7DgBMUVMHOChJMW9ahptfLp0rMQbzVXoiA
xV9PTgGFXlE=
=mUwr
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic