SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   OS (UNIX)  >   IBM AIX Vendors:   IBM
IBM AIX Buffer Overflow in sa_snap Lets Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1024430
SecurityTracker URL:  http://securitytracker.com/id/1024430
CVE Reference:   CVE-2010-3405   (Links to External Site)
Updated:  Sep 27 2010
Original Entry Date:  Sep 14 2010
Impact:   Execution of arbitrary code via local system, Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 5.3, 6.1
Description:   A vulnerability was reported in IBM AIX. A local user can obtain elevated privileges on the target system.

A local user in the system group can trigger a buffer overflow in '/usr/esa/sbin/sa_snap' to execute arbitrary code on the target system with root level privileges.

Impact:   A local user In the system group can obtain root privileges on the target system.
Solution:   The vendor has issued a fix.

5.3.10 IZ73757
5.3.11 IZ73681
5.3.12 IZ73590
6.1.2 IZ75465
6.1.3 IZ75440
6.1.4 IZ75369
6.1.5 IZ73599

The vendor's advisory is available at:

http://aix.software.ibm.com/aix/efixes/security/sa_snap_advisory.asc

Vendor URL:  aix.software.ibm.com/aix/efixes/security/sa_snap_advisory.asc (Links to External Site)
Cause:   Boundary error
Underlying OS:  

Message History:   None.


 Source Message Contents

Date:  Tue, 14 Sep 2010 03:42:57 +0000
Subject:  IBM AIX


	
•  AIX security vulnerabilities in sa_snap

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

IBM SECURITY ADVISORY

First Issued: Mon Sep 13 13:15:05 CDT 2010

The most recent version of this document is available here:

http://aix.software.ibm.com/aix/efixes/security/sa_snap_advisory.asc

VULNERABILITY SUMMARY

VULNERABILITY: AIX security vulnerabilities in sa_snap

PLATFORMS: AIX 5.3, 6.1, and earlier releases
VIOS 1.5, 2.1, and earlier releases

SOLUTION: Apply the fix or workaround as described below.

THREAT: A system group user may execute arbitrary code as 
root and delete sensitive files on the system.

CERT VU Number: N/A
CVE Number: N/A

Reboot required? NO
Workarounds? YES
Protected by FPM? NO
Protected by SED? NO
Protected by AIXPERT? NO

DETAILED INFORMATION

I. DESCRIPTION 

a) A buffer overflow is created in program 
/usr/esa/sbin/sa_snap, resulting in potential privilege 
escalation by a system group users.

b) In AIX 5.3, a system group user can delete sensitive 
files on the system.

II. PLATFORM VULNERABILITY ASSESSMENT

Note: To use the following commands on VIOS you must first
execute:

oem_setup_env

To determine if your system is vulnerable, execute the following
command:

lslpp -L bos.esagent

The following fileset levels are vulnerable:

AIX Fileset Lower Level Upper Level
------------------------------------------------
bos.esagent 06.05.0010.0000 06.05.0010.0003
bos.esagent 06.05.0011.0000 06.05.0011.0004
bos.esagent 06.05.0012.0000 06.05.0012.0001
bos.esagent 06.06.0002.0000 06.06.0002.0005
bos.esagent 06.06.0003.0000 06.06.0003.0005
bos.esagent 06.06.0004.0000 06.06.0004.0007
bos.esagent 06.06.0005.0000 06.06.0005.0002


III. SOLUTION

A. FIXES

Fixes are now available. The fixes can be downloaded from:

http://aix.software.ibm.com/aix/efixes/security/sa_snap_fix.tar

The links above are to a tar file containing this signed
advisory, fix packages, and PGP signatures for each package.

AIX Level VIOS Level Fix
-------------------------------------------------------------------
5.3.10 1.5.2 IZ82630_10.100910.epkg.Z
5.3.11 IZ82245_11.100910.epkg.Z
5.3.12 IZ81819_12.100910.epkg.Z
6.1.2 2.1.0 IZ84167_02.100910.epkg.Z
6.1.3 2.1.1 IZ83909_03.100910.epkg.Z
6.1.4 2.1.2 IZ83975_04.100910.epkg.Z
6.1.5 2.1.3 IZ83942_05.100910.epkg.Z

To extract the fixes from the tar file:

tar xvf sa_snap_fix.tar
cd sa_snap

Verify you have retrieved the fixes intact:

The checksums below were generated using the "csum -h SHA1"
(sha1sum) commands and are as follows:

csum -h SHA1 (sha1sum) filename
------------------------------------------------------------------
1c86260dcaf2cdcd08f6646c98fcec9c0abeb1b6 IZ81819_12.100910.epkg.Z
3d0a20490c6271fb35afbe99cc028476b6ae8b68 IZ82245_11.100910.epkg.Z
6e67ebdfe904235099e2019b6118ee91ab162638 IZ82630_10.100910.epkg.Z
4d1b2f681103e7a0dcb88f20af17b0cc50d62b0d IZ83909_03.100910.epkg.Z
630ed06b834bc97a48411b2475f663125cb7b1ca IZ83942_05.100910.epkg.Z
954fc0b96abd0c2f293fb7a9a02487abf2d929b6 IZ83975_04.100910.epkg.Z
e71a6e1e22119a41147fa5a68291db0f82a59c0f IZ84167_02.100910.epkg.Z


To verify the sums, use the text of this advisory as input to
csum or sha1sum. For example:

csum -h SHA1 -i Advisory.asc
sha1sum -c Advisory.asc

These sums should match exactly. The PGP signatures in the tar
file and on this advisory can also be used to verify the
integrity of the fixes. If the sums or signatures cannot be
confirmed, contact IBM AIX Security and describe the
discrepancy at the following address:

security-alert@austin.ibm.com

B. FIX INSTALLATION

IMPORTANT: If possible, it is recommended that a mksysb backup
of the system be created. Verify it is both bootable and
readable before proceeding.

Fix management documentation can be found at:

http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html

To preview fix installation:

emgr -e fix_name -p # where fix_name is the name of the 
# fix being previewed.

To install fix package:

emgr -e fix_name -X # where fix_name is the name of the 
# fix being installed.

C. APARS

IBM has assigned the following APARs to this problem:

AIX Level APAR number Service pack date
--------------------------------------------------------
5.3.10 IZ73757 9/22/10 sp5
5.3.11 IZ73681 9/22/10 sp5
5.3.12 IZ73590 9/22/10 sp2
6.1.2 IZ75465 10/20/10 sp10
6.1.3 IZ75440 10/20/10 sp7
6.1.4 IZ75369 10/20/10 sp7
6.1.5 IZ73599 10/20/10 sp3

Subscribe to the APARs here:

http://www.ibm.com/support/docview.wss?uid=isg1IZ82630
http://www.ibm.com/support/docview.wss?uid=isg1IZ82245
http://www.ibm.com/support/docview.wss?uid=isg1IZ81819
http://www.ibm.com/support/docview.wss?uid=isg1IZ84167
http://www.ibm.com/support/docview.wss?uid=isg1IZ83909
http://www.ibm.com/support/docview.wss?uid=isg1IZ83975
http://www.ibm.com/support/docview.wss?uid=isg1IZ83942

By subscribing, you will receive periodic email alerting you
to the status of the APAR, and a link to download the service
pack when it becomes available.

IV. WORKAROUND

The attacking user must be in the system group to exploit this
vulnerability and the system group is considered a privileged 
group that only root can create.

Please take this into consideration to prevent wrongly assigning
group ids.

VI. CONTACT INFORMATION

If you would like to receive AIX Security Advisories via email,
please visit:

http://www.ibm.com/systems/support

and click on the "My notifications" link.

To view previously issued advisories, please visit:

http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd

Comments regarding the content of this announcement can be
directed to:

security-alert@austin.ibm.com

To obtain the PGP public key that can be used to communicate
securely with the AIX Security Team you can either:

A. Send an email with "get key" in the subject line to:

security-alert@austin.ibm.com

B. Download the key from our web page:

http://www.ibm.com/systems/resources/systems_p_os_aix_security_pgpkey.txt

C. Download the key from a PGP Public Key Server. The key ID is:

0x28BFAA12

Please contact your local IBM AIX support center for any
assistance.

eServer is a trademark of International Business Machines
Corporation. IBM, AIX and pSeries are registered trademarks of
International Business Machines Corporation. All other trademarks
are property of their respective holders.

VII. ACKNOWLEDGMENTS

Lucas McLane, CISSP for disclosing and providing PoC. 
Also, Joe Cushing for helping Lucas with AIX microcode upgrades.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (AIX)

iD8DBQFMjnpe4fmd+Ci/qhIRAj6WAJ4+Y3H5gerkxj9Xb7PU89yz5SnSRQCfTjWf
k7sCRdUsijp7lpinJ3TBG4Q=
=Y1G7
-----END PGP SIGNATURE----- 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC