SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   OS (UNIX)  >   Telnet Vendors:   IBM
IBM AIX Operating System Telnet Command Buffer Overflow Lets Local Users Obtain Root Privileges
SecurityTracker Alert ID:  1005298
SecurityTracker URL:  http://securitytracker.com/id/1005298
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Sep 26 2002
Impact:   Execution of arbitrary code via local system, Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): AIX 4.3.x and 5.1.0
Description:   A buffer overflow vulnerability was reported in the telnet/tn/tn3270 commands on IBM's AIX UNIX operating system. A local user may be able to obtain root privileges

IBM reported discovering during an internal audit that the telnet command contains a buffer overflow in the code that supports vt100 emulation mode. A local user can call the command in a certain manner to trigger the flaw and execute arbitrary code. The telnet command is configured with set user id (setuid) root privileges. So, any arbitrary code executed will run with root privileges.

The tn and tn3270 commands are hard linked to the telnet command and therefore are also affected.

This flaw can reportedly be exploited when using vt100 emulation in an input mode (as opposed to command mode).

Impact:   A local user can execute arbitrary code with root privileges to gain root access on the system.
Solution:   IBM is working on the following fixes which will be available at the specified dates:

APAR number for AIX 4.3.3: IY34018 (available approx 10/16/2002)
APAR number for AIX 5.1.0: IY34019 (available approx 9/30/2002)

NOTE: Fix will not be provided for versions prior to 4.3 as these are no longer supported by IBM. Affected customers are urged to upgrade to 4.3.3 at the latest maintenance level, or to 5.1.0.

Temporary fixes for AIX 4.3.x and 5.1.0 systems are available at:

ftp://aix.software.ibm.com/aix/efixes/security/telnet_efix.tar.Z

The efix compressed tarball contains two fixes: one for AIX 4.3.3 and one for AIX 5.1.0. It also includes this Advisory. The two fix files are "telnet.433" for 4.3.3 and "telnet.510" for 5.1.0.

There are 2 fix-files in this package for the 4.3.3 and 5.1.0 releases. The checksums below were generated using the "sum" and "md5" commands and are as follows:

Filename sum md5
telnet.433 36255 502 5504b13c0a7d46953019566e03ef7da9
telnet.510 23117 522 8da6f2aebd0adce4b6fa083545cb03df

IBM recommends that, if possible, you should create a mksysb backup of the system. Verify it is both bootable and readable before proceeding.

These temporary fixes have not been fully regression tested; thus, IBM does not warrant the fully correct functioning of the efix. Customers install the efix and operate the modified version of AIX at their own risk.


Efix Installation Instructions:

You need to be at Maintenance Level 10 for AIX 4.3.3 or Level 2 for AIX 5.1.0

To see if you are at correct maintenance level:
# instfix -i | grep AIX_ML
on one of the lines you should see:
"All filesets for 4330-10_AIX_ML were found."
or
"All filesets for 5100-02_AIX_ML were found."

Detailed installation instructions can be found in the README file supplied in the efix package. These instructions are summarized below.

1. Create a temporary efix directory and move to that directory.
# mkdir /tmp/efix
# cd /tmp/efix

2. Uncompress the efix and un-tar the resulting tarfile. Move to the fix directory.
# uncompress telnet_efix.tar.Z
# tar xvf telnet_efix.tar
# cd telnet_efix

3. Rename the patched telnet file appropriate for your system and set ownership and permissions.
# mv telnet.xxx telnet # where xx is 433 or 510
# chown root.system telnet
# chmod 4555 telnet

4. Move to the /usr/bin directory and create a backup copy of original telnet command .
# mv /usr/bin
# cp -p telnet telnet.orig

5. Remove the original telnet and copy the patched version in its place. Use the "-p" option to retain ownership and permission settings from step 3.
# rm telnet
# cp -p /tmp/efix/telnet_efix/telnet telnet


6. Restore the hard-links to the tn and tn3270 commands
# ln -f telnet tn
# ln -f telnet tn3270

Vendor URL:  www.ibm.com/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  UNIX (AIX)

Message History:   None.


 Source Message Contents

Subject:  Buffer overflow vulnerability in telnet/tn/tn3270 command


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -----BEGIN PGP SIGNED MESSAGE-----

IBM SECURITY ADVISORY

First Issued: Mon Sep 23 09:43:30 CDT 2002
===========================================================================
                          VULNERABILITY SUMMARY

VULNERABILITY:    Buffer overflow vulnerability in telnet/tn/tn3270
                 command.

PLATFORMS:        IBM AIX 4.3.x and 5.1.0

SOLUTION:         Apply the emergency-fixes described below, or
                 employ the workaround, also described below.

THREAT:           Malicious user could obtain root privileges.

CERT Advisory:    None.

===========================================================================
                          DETAILED INFORMATION

I.  Description

   AIX ships with a version of the "telnet" command that was originally
   derived from the BSD version. This command is shipped SUID root, or
   "set user ID root", and is executable by an ordinary user. From the
   "telnet" command, hard-links also exist to the "tn" and "tn3270" commands.

   In the AIX version of "telnet", functionality was added to operate
   in a vt100 emulation mode. This can be enabled by exporting
   "EMULATE=vt100" into the shell environment or by using the "-e" option
   when issuing the telnet command.

   In adding this functionality, a potential buffer overflow was introduced
   into the code and could possibly be exploited when using vt100 emulation
   in an input mode, (as opposed to command mode).


II. Impact

  A malicious local or remote user can use a well-crafted exploit code
  to gain root privileges on the attacked system, compromising the
  integrity of the system and its attached local network.

  This vulnerability was discovered during an internal code audit and
  at this time there are no known exploits.


III.  Solutions

 A.  WORKAROUND

     There is no practical workaround. To protect against an exploit
     before the efix or APAR is applied, the telnet command can be
     disabled to prevent the use of telnet.

 B.  Official fix

     IBM is working on the following fixes which will be available
     at the specified dates:

     APAR number for AIX 4.3.3: IY34018 (available approx 10/16/2002)
     APAR number for AIX 5.1.0: IY34019 (available approx 9/30/2002)

     NOTE: Fix will not be provided for versions prior to 4.3 as
     these are no longer supported by IBM. Affected customers are
     urged to upgrade to 4.3.3 at the latest maintenance level,
     or to 5.1.0.

 C.  How to minimize the vulnerability

   Temporary fixes for AIX 4.3.x and 5.1.0 systems are available.

   The temporary fixes can be downloaded via ftp from:

   ftp://aix.software.ibm.com/aix/efixes/security/telnet_efix.tar.Z

   The efix compressed tarball contains two fixes: one for
   AIX 4.3.3 and one for AIX 5.1.0. It also includes this Advisory.
   The two fix files are "telnet.433" for 4.3.3 and "telnet.510"
   for 5.1.0.

   Verify you have retrieved this efix intact:
   -------------------------------------------
   There are 2 fix-files in this package for the 4.3.3 and 5.1.0 releases.
   The checksums below were generated using the "sum" and "md5" commands
   and are as follows:

   Filename        sum             md5
   =================================================================
   telnet.433      36255   502     5504b13c0a7d46953019566e03ef7da9
   telnet.510      23117   522     8da6f2aebd0adce4b6fa083545cb03df

   These sums should match exactly; if they do not, double check the command
   results and the download site address. If those are OK, contact IBM AIX
   Security at security-alert@austin.ibm.com and describe the
   discrepancy.

   IMPORTANT: If possible, it is recommended that a mksysb backup of the
   system is created. Verify it is both bootable, and readable before
proceeding.

   These temporary fixes have not been fully regression tested; thus,
   IBM does not warrant the fully correct functioning of the efix.
   Customers install the efix and operate the modified version of AIX
   at their own risk.



   Efix Installation Instructions:
   -------------------------------

   You need to be at Maintenance Level 10 for AIX 4.3.3
   or Level 2 for AIX 5.1.0

   To see if you are at correct maintenance level:
   # instfix -i | grep AIX_ML
   on one of the lines you should see:
   "All filesets for 4330-10_AIX_ML were found."
   or
   "All filesets for 5100-02_AIX_ML were found."

   Detailed installation instructions can be found in the README file
   supplied in the efix package. These instructions are summarized below.

  1. Create a temporary efix directory and move to that directory.
     # mkdir /tmp/efix
     # cd /tmp/efix

  2. Uncompress the efix and un-tar the resulting tarfile. Move to the
     fix directory.
     # uncompress telnet_efix.tar.Z
     # tar xvf telnet_efix.tar
     # cd telnet_efix

  3. Rename the patched telnet file appropriate for your system and set
     ownership and permissions.
     # mv telnet.xxx telnet        # where xx is 433 or 510
     # chown root.system telnet
     # chmod 4555 telnet

  4. Move to the /usr/bin directory and create a backup copy of original
     telnet command .
     # mv /usr/bin
     # cp -p telnet telnet.orig

  5. Remove the original telnet and copy the patched version in its
     place. Use the "-p" option to retain ownership and permission
     settings from step 3.
     # rm telnet
     # cp -p /tmp/efix/telnet_efix/telnet telnet


  6. Restore the hard-links to the tn and tn3270 commands
     # ln -f telnet tn
     # ln -f telnet tn3270




IV. Obtaining Fixes

IBM AIX APARs may be ordered using Electronic Fix Distribution (via the
FixDist program), or from the IBM Support Center.  For more information
on FixDist, and to obtain fixes via the Internet, please reference

       http://techsupport.services.ibm.com/rs6k/fixes.html

or send email to "aixserv@austin.ibm.com" with the word "FixDist" in the
"Subject:" line.

To facilitate ease of ordering all security related APARs for each AIX
release, security fixes are periodically bundled into a cumulative APAR.
For more information on these cumulative APARs including last update and
list of individual fixes, send email to "aixserv@austin.ibm.com" with
the word "subscribe Security_APARs" in the "Subject:" line.


V.  Acknowledgements

   Many thanks to the Common Criteria Evaluation Team for finding
   this vulnerability and bringing it to our attention.

VI.  Contact Information

Comments regarding the content of this announcement can be directed to:

  security-alert@austin.ibm.com

To request the PGP public key that can be used to encrypt new AIX
security vulnerabilities, send email to security-alert@austin.ibm.com
with a subject of "get key".

If you would like to subscribe to the AIX security newsletter, send a
note to aixserv@austin.ibm.com with a subject of "subscribe Security".
To cancel your subscription, use a subject of "unsubscribe Security".
To see a list of other available subscriptions, use a subject of
"help".

IBM and AIX are a registered trademark of International Business
Machines Corporation.  All other trademarks are property of their
respective holders.


- -----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQCVAwUBPY8/CAsPbaL1YgqvAQFI1AP9G/0MzKpybU2SCjV2AsEW9d7SGDUuVc4k
vnZ9EVtPFDFCQnnB3X3Q0amOVN2U+xwzrk9+HForsDC5j5EzZ/7q+iie6GGhjTax
VfkojNTGr+MwCRyBelteON0t1IQJBA/UdEYa19+Ua5jHhrifcbGysBprnebNlkLg
H8B3gJ2ys2k=
=CxrO
- -----END PGP SIGNATURE-----


-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Security 7.0.3

iQA/AwUBPZMYj8XrSKQHhgFwEQKr1ACg8WM5YGoAPGXEnL3kD5tYdgDgl2IAoL0Y
YaG6/qW7qhRRgWoXU51RYKkx
=JnLi
-----END PGP SIGNATURE-----


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC