TUCoPS :: Unix :: Various Flavours :: ciacl014.htm

AIX Format String Vulnerability
AIX Format String Vulnerability Privacy and Legal Notice

CIAC INFORMATION BULLETIN

L-014: AIX Format String Vulnerability

October 27, 2000 20:00 GMT
PROBLEM:       IBM has identified a format string vulnerability in AIX(r)
               locale subsystem.
PLATFORM:      IBM AIX 3.2.x, 4.1.x, 4.2.x, and 4.3.x
DAMAGE:        Local users can gain root access.
SOLUTION:      Apply the fixes as indicated below.

VULNERABILITY Risk is MEDIUM. The vulnerability affects system security and ASSESSMENT: is publicly known.
[****** Start of IBM Security Bulletin ******] --------------------------------------------------------------------------- VULNERABILITY SUMMARY VULNERABILITY: Format string vulnerability in AIX(r) locale subsystem. PLATFORMS: IBM AIX 3.2.x, 4.1.x, 4.2.x, 4.3.x SOLUTION: Apply the fixes listed below. THREAT: Local users can gain root access. CVE candidate: CAN-2000-0844 --------------------------------------------------------------------------- DETAILED INFORMATION I. Description AIX allows user specified locale file to be used for displaying messages. This functionality is provided through the catopen() call. This call uses the NLSPATH environment variable to specify an alternate locale file instead of one of the system locale files. By constructing a valid locale file which contains special format characters and setting the NLSPATH environment variable to point to its path, a malicious user can have privileged applications use his locale file to obtain root privileges. II. Impact Any executable with the setuid or setgid bit set is potentially vulnerable to root compromise. II. Solutions A. Official fix IBM is working on the following fix which will be available soon: AIX 4.3.x: IY13753 NOTE: Fix will not be provided for versions prior to 4.3 as these are no longer supported by IBM. Affected customers are urged to upgrade to 4.3, or higher. B. How to minimize the vulnerability A temporary fix for AIX 4.3.x systems is available which ignores the NLSPATH environment variable. Note that pending standards compliance review, the actual APAR fix may or may not be implemented the same way. The temporary fix can be downloaded via ftp from: ftp://aix.software.ibm.com/aix/efixes/security/locale_format_efix.tar.Z The MD5 checksum for the efix libc is: Filename sum md5 ----------------------------------------------------------------- libc.a 12878 6149 f8169a0c985220874c0404b4c69d5f20 This temporary fix has not been fully regression tested. Do the following steps (as root) to install the temporary fix: 1. Determine the version of the libc fileset on your machine. # lslpp -l bos.rte.libc If the version of the libc.a fileset for your machine is not at the level given below, install the requisite APAR listed. This will help ensure that the libc fix will run properly. Release Fileset Version requisite APAR ------------------------------------------------------------ AIX 4.3.x bos.rte.libc 4.3.3.25 IY12541 2. Uncompress and extract the fix. a. place the temporary fix in a directory of your choosing, e.g., "your_dir"; using /tmp as your_dir is a reasonable choice b. # uncompress < locale_format_efix.tar.Z | tar xf - The efix libc.a will be extracted to your_dir/locale_format/lib 3. Make sure the new libc.a works on your system. a. # slibclean b. # export LIBPATH=your_dir/locale_format/lib c. # ls your_dir NOTE: This "ls" is a simple test to make sure the new libc.a works. If this does *NOT* work (i.e. you get a "killed" message), then do *NOT* go further...this libc.a does not work on your system. 4. Follow the instructions below to install the new libc.a. Make a copy of the original libc.a (make sure there is enough free apace in the filesystem to for you to work with), e.g., a. # mkdir /usr/ccs/lib/sv b. # cp /usr/ccs/lib/libc.a /usr/ccs/lib/sv Copy the libc.a fix into place, e.g., a. # cp -f your_dir/locale_format/lib/libc.a /usr/ccs/lib/ b. # chown bin.bin /usr/ccs/lib/libc.a c. # chmod 555 /usr/ccs/lib/libc.a d. # ln -sf /usr/ccs/lib/libc.a /usr/lib/libs.a e. # unset LIBPATH f. # slibclean Make sure that the new libraries will be picked up at the next reboot. # bosboot -a 4. Reboot. IV. Obtaining Fixes IBM AIX APARs may be ordered using Electronic Fix Distribution (via the FixDist program), or from the IBM Support Center. For more information on FixDist, and to obtain fixes via the Internet, please reference http://techsupport.services.ibm.com/rs6k/fixes.html or send email to "aixserv@austin.ibm.com" with the word "FixDist" in the "Subject:" line. To facilitate ease of ordering all security related APARs for each AIX release, security fixes are periodically bundled into a cumulative APAR. For more information on these cumulative APARs including last update and list of individual fixes, send email to "aixserv@austin.ibm.com" with the word "subscribe Security_APARs" in the "Subject:" line. V. Acknowledgements Thanks to Ivan Arce of CORE-SDI for bringing this vulnerability to our attention. VI. Contact Information Comments regarding the content of this announcement can be directed to: security-alert@austin.ibm.com To request the PGP public key that can be used to encrypt new AIX security vulnerabilities, send email to security-alert@austin.ibm.com with a subject of "get key". If you would like to subscribe to the AIX security newsletter, send a note to aixserv@austin.ibm.com with a subject of "subscribe Security". To cancel your subscription, use a subject of "unsubscribe Security". To see a list of other available subscriptions, use a subject of "help". IBM and AIX are a registered trademark of International Business Machines Corporation. All other trademarks are property of their respective holders. ----------------------------------------------------------------------------- IBM's Internet Emergency Response Service (IBM-ERS) is a subscription-based Internet security response service that includes computer security incident response and management, regular electronic verification of your Internet gateway(s), and security vulnerability alerts similar to this one that are tailored to your specific computing environment. IBM's Virus Emergency Response Service is a subscription-based service that provides assistance with virus risk and emergency management. By acting as an extension of your own internal security staff, IBM-ERS's team of security experts helps you quickly detect and respond to attacks and exposures to your I/T infrastructre. As a part of IBM's Business Continuity Recovery Services organization, the IBM Emergency Response Service is a component of IBM's SecureWay(tm) line of security products and services. From hardware to software to consulting, SecureWay solutions can give you the assurance and expertise you need to protect your valuable business resources. To find out more about the IBM Emergency Response Service, send an electronic mail message to ers-sales@ers.ibm.com, or call 1-800-426-7378. IBM-ERS maintains a site on the World Wide Web at http://www.ers.ibm.com/. Visit the site for information about the service, copies of security alerts, team contact information, and other items. IBM-ERS uses Pretty Good Privacy* (PGP*) as the digital signature mechanism for security vulnerability alerts and other distributed information. The IBM-ERS PGP* public key is available from http://www.ers.ibm.com/team-info/pgpkey.html. "Pretty Good Privacy" and "PGP" are trademarks of Philip Zimmermann. IBM-ERS is a Member Team of the Forum of Incident Response and Security Teams (FIRST), a global organization established to foster cooperation and response coordination among computer security teams worldwide. Copyright 2000 International Business Machines Corporation. The information in this document is provided as a service to customers of the IBM Emergency Response Service. Neither International Business Machines Corporation, nor any of its employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process contained herein, or represents that its use would not infringe any privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by IBM or its subsidiaries. The views and opinions of authors expressed herein do not necessarily state or reflect those of IBM or its subsidiaries,and may not be used for advertising or product endorsement purposes. The material in this document may be reproduced and distributed, without permission, in whole or in part, by other security incident response teams (both commercial and non-commercial), provided the above copyright is kept intact and due credit is given to IBM-ERS. This document may be reproduced and distributed, without permission, in its entirety only, by any person provided such reproduction and/or distribution is performed for non-commercial purposes and with the intent of increasing the awareness of the Internet community. [****** End of IBM Security Bulletin ******]

CIAC wishes to acknowledge the contributions of IBM Company for the information contained in this bulletin.
CIAC services are available to DOE, DOE Contractors, and the NIH. CIAC can be contacted at:
    Voice:          +1 925-422-8193 (7 x 24)
    FAX:            +1 925-423-8002
    STU-III:        +1 925-423-2604
    E-mail:          ciac@llnl.gov
    World Wide Web:  http://www.ciac.org/
                     http://ciac.llnl.gov
                     (same machine -- either one will work)
    Anonymous FTP:   ftp.ciac.org
                     ciac.llnl.gov
                     (same machine -- either one will work)

This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes.
UCRL-MI-119788
[Privacy and Legal Notice]

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH