Vulnerability

    diagrpt

Affected

    AIX AIX 4.3.x and 5.1

Description

    Following  is  based  on  a  security  alerts published by the IBM
    Emergency  Response  Service.   AIX  ships  with  the   diagnostic
    reporting command, "diagrpt".   This command is  shipped SUID,  or
    "set user ID", and is executable by an ordinary user.

    An  ordinary  user  is  able  to set the "DIAGDATADIR" environment
    veriable  to  a  directory  of  his  or  her  choosing.   In  this
    directory, a user can place a carefully crafted shell program that
    is executed when  the user runs  the "diagrpt" command.   The SUID
    bit for  "diagrpt" will  run the  shell program  as root, and this
    program  will  force  the  spawning  of  a  new  shell  with  root
    privileges.

    A malicious  local user  can use  a well-crafted  exploit code  to
    gain  root  privileges  on  the  attacked system, compromising the
    integrity of the system and its attached local network.

Solution

    If you do not wish to install the efix for this vulnerability  but
    instead wait for the APAR that fixes it to be made available,  you
    can also negate this vulnerability by making the "diagrpt" command
    to be non-SUID.  You must be "root" to do this.  However, ordinary
    users will  not be  able to  use the  command if  the SUID  bit is
    removed.

    IBM is  working on  the following  fixes which  will be  available
    soon:

        ftp://aix.software.ibm.com/aix/efixes/security/diagrpt_efix.tar.Z

    Fix will not be  provided for versions prior  to 4.3 as these  are
    no  longer  supported  by  IBM.   Affected  customers are urged to
    upgrade to 4.3.3 at the latest maintenance level, or to 5.1.