Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   


Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker

Category:   OS (UNIX)  >   IBM AIX Vendors:   IBM
IBM AIX Buffer Overflows in rsh, rcp, rlogin, and rdist Commands Let Local Users Gain Root Privileges
SecurityTracker Alert ID:  1017607
SecurityTracker URL:
CVE Reference:   CVE-2007-0670   (Links to External Site)
Updated:  May 19 2008
Original Entry Date:  Feb 8 2007
Impact:   Execution of arbitrary code via local system, Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 5.2, 5.3
Description:   A vulnerability was reported in IBM AIX. A local user can obtain root privileges on the target system.

A local user can trigger a buffer overflow in various r-commands to execute arbitrary code on the target system with root privileges.

The rsh, rcp, rlogin, and rdist commands are affected.

Impact:   A local user can obtain root privileges on the target system.
Solution:   The vendor has issued an interim fix, available at:

The vendor plans to issue the following fixes:

APAR number for AIX 5.2.0: IY94368 (available approx. 03/21/07)
APAR number for AIX 5.3.0: IY94301 (available approx. 03/07/07)

Vendor URL: (Links to External Site)
Cause:   Boundary error
Underlying OS:  

Message History:   None.

 Source Message Contents

Date:  Thu, 8 Feb 2007 08:36:04 -0500
Subject:  IBM AIX

Hash: SHA1


First Issued: Wed Feb  7 16:05:27 CST 2007
                           VULNERABILITY SUMMARY

VULNERABILITY:      A buffer overflow vulnerability exists in various

PLATFORMS:          AIX 5.2 and 5.3.

SOLUTION:           Apply the APAR, interim fix or workaround as
                    described below.

THREAT:             A local user may gain privileges.

CERT VU Number:     n/a
CVE Number:         n/a
                           DETAILED INFORMATION

I.  Description

A buffer overflow vulnerability in various r-commands may allow a local
user to gain root privileges. This vulnerability may be exploited through
the rsh, rcp, rlogin and rdist commands. These commands are used to provide
remote access to a system.

II. Impact

A local user may gain root privileges.

III.  Solutions

A. Official Fix

IBM provides the following fixes:

      APAR number for AIX 5.2.0:  IY94368 (available approx. 03/21/07)
      APAR number for AIX 5.3.0:  IY94301 (available approx. 03/07/07)

NOTE: Affected customers are urged to upgrade to the latest applicable
Technology Level.

The following table shows the vulnerable versions of bos.rte.libc and for the specified AIX Releases.

Release              Lower         Upper
                     Level         Level
AIX 5.2    
AIX 5.3    

B. Interim Fix

Interim fixes are available. The interim fixes can be downloaded via ftp

This is a compressed tarball containing this advisory, interim fix packages
and cleartext PGP signatures for each package.

Verify you have retrieved the fixes intact:
The interim fixes below are named by using the Technology Level
corresponding to the release that the fix applies to.

The checksums below were generated using the "sum" and "md5sum" commands
and are as follows:

The interim fixes below include prerequisite checking. This will enforce
the correct mapping between the fixes and AIX Technology Levels. The
interim fixes replace libc.a which ships as part of bos.rte.libc. When
installing these fixes, it will be necessary to remove other interim fixes
which modify libc.a. These interim fixes also address the buffer overflow
vulnerability in setlocale() addressed in a security advisory released in
August 2006.

Filename                   sum           md5
IY94368_07.070206.epkg.Z   48092  3157   4e4bf247f1d42056f921efe60f6c98f0
IY94368_08.070206.epkg.Z   65051  3151   56fda7a07bb345f54b5cf0ff3a79f8ff
IY94368_09.070207.epkg.Z   57140  3167   8f1a57712588eefb2efd508faa7bebe4
IY94301_03.070206.epkg.Z   54915  3514   b26abfaa38300b63058e2fab793a3690
IY94301_04.070206.epkg.Z   64611  3524   a9728fb1df18403104786321f4b09fbc
IY94301_05.070207.epkg.Z   26724  3567   9269c1839e02dc6dc60c32713eaa1fbc

These sums should match exactly. The PGP signatures in the compressed
tarball and on this advisory can also be used to verify the integrity of
the various files they correspond to. If the sums or signatures cannot be
confirmed, double check the command results and the download site address.
If those are OK, contact IBM AIX Security at
and describe the discrepancy.

The following table shows the prerequisite fileset level for the fixes
above. These levels correspond to the latest available versions of
bos.rte.libc for a given Technology Level.

Filename                   Fileset

IMPORTANT: If possible, it is recommended that a mksysb backup of the
system is created. Verify it is both bootable, and readable before

These interim fixes have not been fully regression tested; thus, IBM does
not warrant the fully correct functioning of the interim fix. Customers
install the interim fix and operate the modified version of AIX at their
own risk.

Interim Installation Instructions:

These packages use the new Interim Fix Management Solution to install and
manage ifixes. More information can be found at:

To preview an epkg ifix installation execute the following command:

# emgr -e ipkg_name -p       # where ipkg_name is the name of the
                             # ifix package being previewed.

To install an epkg ifix package, execute the following command:

# emgr -e ipkg_name -X       # where ipkg_name is the name of the
                             # ifix package being installed.

The "X" flag will expand any filesystems if required.

C. Workaround

Remove the setuid bit from the rsh, rcp, rlogin and rdist commands. This
can be done as follows:

# chmod u-s 

Note that this may prevent these commands from functioning normally for
non-root users.

IV. Obtaining Fixes

AIX Version 5 APARs can be downloaded from:

Security related Interim Fixes can be downloaded from:

V.  Contact Information

If you would like to receive AIX Security Advisories via email, please

Comments regarding the content of this announcement can be directed to:

To request the PGP public key that can be used to communicate securely
with the AIX Security Team send email to
with a subject of "get key". The key can also be downloaded from a PGP
Public Key Server. The key id is 0x1B14F299.

Please contact your local IBM AIX support center for any assistance.

eServer is a trademark of International Business Machines Corporation.
IBM, AIX and pSeries are registered trademarks of International Business
Machines Corporation. All other trademarks are property of their respective
Version: GnuPG v1.4.6 (GNU/Linux)


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

Copyright 2015, LLC