SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   OS (UNIX)  >   IBM AIX Vendors:   IBM
IBM AIX libc MALLOCDEBUG File Overwrite Bug Lets Local Users Gain Root Privileges
SecurityTracker Alert ID:  1022261
SecurityTracker URL:  http://securitytracker.com/id/1022261
CVE Reference:   CVE-2009-1786   (Links to External Site)
Updated:  May 28 2009
Original Entry Date:  May 20 2009
Impact:   Modification of system information, Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 5.3, 6.1
Description:   A vulnerability was reported in IBM AIX. A local user can obtain root privileges on the target system.

A local user can exploit a race condition in the MALLOCDEBUG debugging component of the malloc subsystem in the 'libc.a' library to overwrite arbitrary files on the target system.

The following libraries are affected:

/usr/ccs/lib/libc.a
/usr/ccs/lib/libp/libc.a

iDefense Labs reported this vulnerability.

Impact:   A local user can obtain root privileges on the target system.
Solution:   The vendor has issued the following APARs (with availability date):

5.3.0 IZ50500 07/01/09
5.3.7 IZ50517 07/01/09
5.3.8 IZ50447 07/01/09
5.3.9 IZ50445 07/01/09
6.1.0 IZ50139 06/03/09
6.1.1 IZ50129 06/03/09
6.1.2 IZ50121 06/03/09

The APARs are available at:

http://www.ibm.com/support/docview.wss?uid=isg1IZ50500
http://www.ibm.com/support/docview.wss?uid=isg1IZ50517
http://www.ibm.com/support/docview.wss?uid=isg1IZ50447
http://www.ibm.com/support/docview.wss?uid=isg1IZ50445
http://www.ibm.com/support/docview.wss?uid=isg1IZ50139
http://www.ibm.com/support/docview.wss?uid=isg1IZ50129
http://www.ibm.com/support/docview.wss?uid=isg1IZ50121

The vendor's advisory is available at:

http://aix.software.ibm.com/aix/efixes/security/libc_advisory.asc

Vendor URL:  aix.software.ibm.com/aix/efixes/security/libc_advisory.asc (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  

Message History:   None.


 Source Message Contents

Date:  Wed, 20 May 2009 00:33:17 -0400
Subject:  IBM AIX


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

IBM SECURITY ADVISORY

First Issued: Tue May 19 10:27:38 CDT 2009

The most recent version of this document is available here:

http://aix.software.ibm.com/aix/efixes/security/libc_advisory.asc
or
ftp://aix.software.ibm.com/aix/efixes/security/libc_advisory.asc

VULNERABILITY SUMMARY

VULNERABILITY: AIX libc MALLOCDEBUG file overwrite vulnerability

PLATFORMS: AIX 5.3, 6.1

SOLUTION: Apply the fix as described below.

THREAT: A local user may execute arbitrary code as root.


DETAILED INFORMATION

I. DESCRIPTION

There is a race condition in the MALLOCDEBUG debugging component
of the malloc subsystem in the library libc.a. A local user can
exploit this race condition when executing setuid root programs
and thereby overwrite any file in the system.

The successful exploitation of this vulnerability allows a local
user to overwrite arbitrary files and execute arbitrary code as
the root user.

The following libraries are vulnerable:

/usr/ccs/lib/libc.a
/usr/ccs/lib/libp/libc.a

II. PLATFORM VULNERABILITY ASSESSMENT

To determine if your system is vulnerable, execute the following
command:

lslpp -L bos.rte.libc bos.adt.prof

The following fileset levels are vulnerable:

AIX Fileset Lower Level Upper Level
------------------------------------------------
bos.rte.libc 5.3.0.0 5.3.0.71
bos.rte.libc 5.3.7.0 5.3.7.8
bos.rte.libc 5.3.8.0 5.3.8.5
bos.rte.libc 5.3.9.0 5.3.9.2
bos.rte.libc 6.1.0.0 6.1.0.9
bos.rte.libc 6.1.1.0 6.1.0.4
bos.rte.libc 6.1.2.0 6.1.0.3

bos.adt.prof 5.3.0.0 5.3.0.71
bos.adt.prof 5.3.7.0 5.3.7.8
bos.adt.prof 5.3.8.0 5.3.8.5
bos.adt.prof 5.3.9.0 5.3.9.2
bos.adt.prof 6.1.0.0 6.1.0.9
bos.adt.prof 6.1.1.0 6.1.0.4
bos.adt.prof 6.1.2.0 6.1.0.3

III. SOLUTIONS

A. APARS

IBM has assigned the following APARs to this problem:

AIX Level APAR number Availability
---------------------------------------------------
5.3.0 IZ50500 07/01/09
5.3.7 IZ50517 07/01/09
5.3.8 IZ50447 07/01/09
5.3.9 IZ50445 07/01/09
6.1.0 IZ50139 06/03/09
6.1.1 IZ50129 06/03/09
6.1.2 IZ50121 06/03/09

Subscribe to the APARs here:

http://www.ibm.com/support/docview.wss?uid=isg1IZ50500
http://www.ibm.com/support/docview.wss?uid=isg1IZ50517
http://www.ibm.com/support/docview.wss?uid=isg1IZ50447
http://www.ibm.com/support/docview.wss?uid=isg1IZ50445
http://www.ibm.com/support/docview.wss?uid=isg1IZ50139
http://www.ibm.com/support/docview.wss?uid=isg1IZ50129
http://www.ibm.com/support/docview.wss?uid=isg1IZ50121

By subscribing, you will receive periodic email alerting you
to the status of the APAR, and a link to download the fix once
it becomes available.

B. FIXES

Fixes are now available. The fixes can be downloaded from:

ftp://aix.software.ibm.com/aix/efixes/security/libc_fix.tar
http://aix.software.ibm.com/aix/efixes/security/libc_fix.tar

The links above are to a tar file containing this signed
advisory, fix packages, and PGP signatures for each package.

AIX Level Interim Fix (*.Z)
-------------------------------------------------------------------
5.3.0 TL6 IZ50500_06.090518.epkg.Z
IZ50500_6p.090518.epkg.Z
5.3.7 IZ50517_07.090518.epkg.Z
IZ50517_7p.090518.epkg.Z
5.3.8 IZ50447_08.090518.epkg.Z
IZ50447_8p.090518.epkg.Z
5.3.9 IZ50445_09.090518.epkg.Z
IZ50445_9p.090518.epkg.Z
6.1.0 IZ50139_00.090518.epkg.Z
IZ50139_0p.090518.epkg.Z
6.1.1 IZ50129_01.090518.epkg.Z
IZ50129_1p.090518.epkg.Z
6.1.2 IZ50121_02.090518.epkg.Z
IZ50121_2p.090518.epkg.Z

To extract the fixes from the tar file:

tar xvf libc_fix.tar
cd libc_fix

Verify you have retrieved the fixes intact:

The checksums below were generated using the "csum -h SHA1"
(sha1sum) commands and are as follows:

csum -h SHA1 (sha1sum) filename
------------------------------------------------------------------
80f649050df9dc751ea09e1922a6c6706c4e79eb IZ50121_02.090518.epkg.Z
979cce8f4d6325639a67370d50187cd477694167 IZ50121_2p.090518.epkg.Z
be2e7de24d377b3dc9b6c21c7aad1d0a30d7a046 IZ50129_01.090518.epkg.Z
128192f5ff1da83f20b76bc71cc143f4b794b8c8 IZ50129_1p.090518.epkg.Z
89e95c3cf290e3aa5c873f4a72a7cf43a40538ce IZ50139_00.090518.epkg.Z
79e3809b6eab0a22dfccc439a05f7aeb783c98fa IZ50139_0p.090518.epkg.Z
b2c62c2f70afa878981cce54b46f5ded84d8a19b IZ50445_09.090518.epkg.Z
15ebed2c29eaf50edc3700aba31a3612df98ec8e IZ50445_9p.090518.epkg.Z
59dc98268ac747047201ef9bd0a1c7d025ffb5e0 IZ50447_08.090518.epkg.Z
e2aeed42f445c7b6faa333a1f3920cff2bbb8379 IZ50447_8p.090518.epkg.Z
7786e1df8fd45d04c659d0ebb1ae4aa01faa51a1 IZ50500_06.090518.epkg.Z
4f2a7af24fa11af81558879b1948ef75bfbf09cc IZ50500_6p.090518.epkg.Z
c7c36f59d8ffe3b7f683fd76d40c5843e86767b8 IZ50517_07.090518.epkg.Z
96290c02e054472ae48dd43b50c912c699b7ef9e IZ50517_7p.090518.epkg.Z

To verify the sums, use the text of this advisory as input to
csum or sha1sum. For example:

csum -h SHA1 -i Advisory.asc
sha1sum -c Advisory.asc

These sums should match exactly. The PGP signatures in the tar
file and on this advisory can also be used to verify the
integrity of the fixes. If the sums or signatures cannot be
confirmed, contact IBM AIX Security and describe the
discrepancy at the following address:

security-alert@austin.ibm.com

C. INTERIM FIX INSTALLATION

IMPORTANT: If possible, it is recommended that a mksysb backup
of the system be created. Verify it is both bootable and
readable before proceeding.

Interim fixes have had limited functional and regression
testing but not the full regression testing that takes place
for Service Packs; thus, IBM does not warrant the fully
correct functionality of an interim fix.

Interim fix management documentation can be found at:

http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html

To preview an interim fix installation:

emgr -e ipkg_name -p # where ipkg_name is the name of the
# interim fix package being previewed.

To install an interim fix package:

emgr -e ipkg_name -X # where ipkg_name is the name of the
# interim fix package being installed.

IV. WORKAROUNDS

There are no workarounds.

V. OBTAINING FIXES

AIX security fixes can be downloaded from:

http://aix.software.ibm.com/aix/efixes/security
or
ftp://aix.software.ibm.com/aix/efixes/security

AIX fixes can be downloaded from:

http://www.ibm.com/eserver/support/fixes/fixcentral/main/pseries/aix

NOTE: Affected customers are urged to upgrade to the latest
applicable Technology Level and Service Pack.

VI. CONTACT INFORMATION

If you would like to receive AIX Security Advisories via email,
please visit:

http://www.ibm.com/systems/support

and click on the "My notifications" link.

To view previously issued advisories, please visit:

http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd

Comments regarding the content of this announcement can be
directed to:

security-alert@austin.ibm.com

To obtain the PGP public key that can be used to communicate
securely with the AIX Security Team you can either:

A. Download the key from our web page:

http://www.ibm.com/systems/resources/systems_p_os_aix_security_pgpkey.txt

B. Download the key from a PGP Public Key Server. The key ID is:

0xADA6EB4D

Please contact your local IBM AIX support center for any
assistance.

eServer is a trademark of International Business Machines
Corporation. IBM, AIX and pSeries are registered trademarks of
International Business Machines Corporation. All other trademarks
are property of their respective holders.

VII. ACKNOWLEDGMENTS

This vulnerability was reported by iDefense Labs.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (AIX)

iD8DBQFKEwLLP9Qud62m600RAsKIAKCk4Rdv9OIA3bqOoeZzsDpD9ckFhwCgzH/x
+HnGrYPbC6p8O0icRyREQQA=
=1zsM
-----END PGP SIGNATURE-----

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC