Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   


Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker

Category:   OS (UNIX)  >   IBM AIX Vendors:   IBM
IBM AIX Buffer Overflow in sa_snap Lets Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1024430
SecurityTracker URL:
CVE Reference:   CVE-2010-3405   (Links to External Site)
Updated:  Sep 27 2010
Original Entry Date:  Sep 14 2010
Impact:   Execution of arbitrary code via local system, Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 5.3, 6.1
Description:   A vulnerability was reported in IBM AIX. A local user can obtain elevated privileges on the target system.

A local user in the system group can trigger a buffer overflow in '/usr/esa/sbin/sa_snap' to execute arbitrary code on the target system with root level privileges.

Impact:   A local user In the system group can obtain root privileges on the target system.
Solution:   The vendor has issued a fix.

5.3.10 IZ73757
5.3.11 IZ73681
5.3.12 IZ73590
6.1.2 IZ75465
6.1.3 IZ75440
6.1.4 IZ75369
6.1.5 IZ73599

The vendor's advisory is available at:

Vendor URL: (Links to External Site)
Cause:   Boundary error
Underlying OS:  

Message History:   None.

 Source Message Contents

Date:  Tue, 14 Sep 2010 03:42:57 +0000
Subject:  IBM AIX

•  AIX security vulnerabilities in sa_snap

Hash: SHA1


First Issued: Mon Sep 13 13:15:05 CDT 2010

The most recent version of this document is available here:


VULNERABILITY: AIX security vulnerabilities in sa_snap

PLATFORMS: AIX 5.3, 6.1, and earlier releases
VIOS 1.5, 2.1, and earlier releases

SOLUTION: Apply the fix or workaround as described below.

THREAT: A system group user may execute arbitrary code as 
root and delete sensitive files on the system.

CERT VU Number: N/A
CVE Number: N/A

Reboot required? NO
Workarounds? YES
Protected by FPM? NO
Protected by SED? NO
Protected by AIXPERT? NO



a) A buffer overflow is created in program 
/usr/esa/sbin/sa_snap, resulting in potential privilege 
escalation by a system group users.

b) In AIX 5.3, a system group user can delete sensitive 
files on the system.


Note: To use the following commands on VIOS you must first


To determine if your system is vulnerable, execute the following

lslpp -L bos.esagent

The following fileset levels are vulnerable:

AIX Fileset Lower Level Upper Level
bos.esagent 06.05.0010.0000 06.05.0010.0003
bos.esagent 06.05.0011.0000 06.05.0011.0004
bos.esagent 06.05.0012.0000 06.05.0012.0001
bos.esagent 06.06.0002.0000 06.06.0002.0005
bos.esagent 06.06.0003.0000 06.06.0003.0005
bos.esagent 06.06.0004.0000 06.06.0004.0007
bos.esagent 06.06.0005.0000 06.06.0005.0002



Fixes are now available. The fixes can be downloaded from:

The links above are to a tar file containing this signed
advisory, fix packages, and PGP signatures for each package.

AIX Level VIOS Level Fix
5.3.10 1.5.2 IZ82630_10.100910.epkg.Z
5.3.11 IZ82245_11.100910.epkg.Z
5.3.12 IZ81819_12.100910.epkg.Z
6.1.2 2.1.0 IZ84167_02.100910.epkg.Z
6.1.3 2.1.1 IZ83909_03.100910.epkg.Z
6.1.4 2.1.2 IZ83975_04.100910.epkg.Z
6.1.5 2.1.3 IZ83942_05.100910.epkg.Z

To extract the fixes from the tar file:

tar xvf sa_snap_fix.tar
cd sa_snap

Verify you have retrieved the fixes intact:

The checksums below were generated using the "csum -h SHA1"
(sha1sum) commands and are as follows:

csum -h SHA1 (sha1sum) filename
1c86260dcaf2cdcd08f6646c98fcec9c0abeb1b6 IZ81819_12.100910.epkg.Z
3d0a20490c6271fb35afbe99cc028476b6ae8b68 IZ82245_11.100910.epkg.Z
6e67ebdfe904235099e2019b6118ee91ab162638 IZ82630_10.100910.epkg.Z
4d1b2f681103e7a0dcb88f20af17b0cc50d62b0d IZ83909_03.100910.epkg.Z
630ed06b834bc97a48411b2475f663125cb7b1ca IZ83942_05.100910.epkg.Z
954fc0b96abd0c2f293fb7a9a02487abf2d929b6 IZ83975_04.100910.epkg.Z
e71a6e1e22119a41147fa5a68291db0f82a59c0f IZ84167_02.100910.epkg.Z

To verify the sums, use the text of this advisory as input to
csum or sha1sum. For example:

csum -h SHA1 -i Advisory.asc
sha1sum -c Advisory.asc

These sums should match exactly. The PGP signatures in the tar
file and on this advisory can also be used to verify the
integrity of the fixes. If the sums or signatures cannot be
confirmed, contact IBM AIX Security and describe the
discrepancy at the following address:


IMPORTANT: If possible, it is recommended that a mksysb backup
of the system be created. Verify it is both bootable and
readable before proceeding.

Fix management documentation can be found at:

To preview fix installation:

emgr -e fix_name -p # where fix_name is the name of the 
# fix being previewed.

To install fix package:

emgr -e fix_name -X # where fix_name is the name of the 
# fix being installed.


IBM has assigned the following APARs to this problem:

AIX Level APAR number Service pack date
5.3.10 IZ73757 9/22/10 sp5
5.3.11 IZ73681 9/22/10 sp5
5.3.12 IZ73590 9/22/10 sp2
6.1.2 IZ75465 10/20/10 sp10
6.1.3 IZ75440 10/20/10 sp7
6.1.4 IZ75369 10/20/10 sp7
6.1.5 IZ73599 10/20/10 sp3

Subscribe to the APARs here:

By subscribing, you will receive periodic email alerting you
to the status of the APAR, and a link to download the service
pack when it becomes available.


The attacking user must be in the system group to exploit this
vulnerability and the system group is considered a privileged 
group that only root can create.

Please take this into consideration to prevent wrongly assigning
group ids.


If you would like to receive AIX Security Advisories via email,
please visit:

and click on the "My notifications" link.

To view previously issued advisories, please visit:

Comments regarding the content of this announcement can be
directed to:

To obtain the PGP public key that can be used to communicate
securely with the AIX Security Team you can either:

A. Send an email with "get key" in the subject line to:

B. Download the key from our web page:

C. Download the key from a PGP Public Key Server. The key ID is:


Please contact your local IBM AIX support center for any

eServer is a trademark of International Business Machines
Corporation. IBM, AIX and pSeries are registered trademarks of
International Business Machines Corporation. All other trademarks
are property of their respective holders.


Lucas McLane, CISSP for disclosing and providing PoC. 
Also, Joe Cushing for helping Lucas with AIX microcode upgrades.
Version: GnuPG v1.4.7 (AIX)


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

Copyright 2015, LLC