'[SNS Advisory No.46]IBM AIX dtprintinfo Buffer Overflow Vulnerability'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    [SNS Advisory No.46]IBM AIX dtprintinfo Buffer Overflow Vulnerability
From:       "snsadv () lac ! co ! jp" <snsadv () lac ! co ! jp>
Date:       2001-10-30 8:54:40
[Download RAW message or body]

----------------------------------------------------------------------
SNS Advisory No.46
IBM AIX dtprintinfo Buffer Overflow Vulnerability

Problem first discovered: Fri, 05 Oct 2001
Published: Tue, 30 Oct 2001
----------------------------------------------------------------------

Overview:
---------
  A buffer overflow vulnerability was found in /usr/dt/bin/dtprintinfo 
  program attached to IBM AIX. Local malicious users could execute 
  arbitrary codes with root privileges.

Problem Description:
--------------------
  dtprintinfo included with IBM AIX is a program for opening the CDE
  Print Manager window. This program is normally installed as SUID
  root.

  "-session" option can be used in dtprintinfo to put client back to
  its original desktop state by loading session file.  If a designated
  session filename is an unusually long string of characters, 
  dtprintinfo will result in buffer overflow.

  Properly exploited, a local malicious attacker could execute 
  arbitrary codes with root privileges.

Tested OS:
----------
  IBM AIX 4.3.3

Solution:
---------
  This security issue was previously reported to IBM Co. IBM
  released an advisory including an EMERGENCY FIX (efix) on October 29.

 ftp://aix.software.ibm.com/aix/efixes/security/CDE_libDtSvc_efix.tar.Z

  Additionally, the Official Fix will be made available soon.

Workarounds:
------------
  The following is a workaround to minimize the impact of this problem.

  * Remove SUID bit from dtprintinfo.

Discovered by:
--------------
  Noboru Yoshinaga (LAC) yosinaga@lac.co.jp
  ARAI Yuu         (LAC) y.arai@lac.co.jp

Disclaimer:
-----------
  All information in these advisories are subject to change without any
  advanced notices neither mutual consensus, and each of them is released
  as it is. LAC Co.,Ltd. is not responsible for any risks of occurrences
  caused by applying those information. 

References
----------
  Archive of this advisory(in preparation now):
  http://www.lac.co.jp/security/english/snsadv_e/46_e.html

------------------------------------------------------------------
Secure Net Service(SNS) Security Advisory <snsadv@lac.co.jp>
Computer Security Laboratory, LAC  http://www.lac.co.jp/security/

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic