SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   OS (UNIX)  >   IBM AIX Vendors:   IBM
IBM AIX Various Application Buffer Overflows Let Local Users Gain Root Privileges
SecurityTracker Alert ID:  1018871
SecurityTracker URL:  http://securitytracker.com/id/1018871
CVE Reference:   CVE-2007-4217, CVE-2007-4513, CVE-2007-4621, CVE-2007-4622, CVE-2007-4623   (Links to External Site)
Date:  Oct 30 2007
Impact:   Execution of arbitrary code via local system, Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 5.2, 5.3
Description:   Several vulnerabilities were reported in IBM AIX in various applications and utilities. A local user can obtain elevated privileges on the target system.

A local user can invoke bellmail with the 'm' command to trigger a stack overflow in the sendrmt() function and execute arbitrary code with root privileges [CVE-2007-4623]. The vendor was notified on August 28, 2007.

A local user with 'system' group privileges can invoke the swcons command with the '-p' command switch to modify arbitrary files on the target system. The vendor was notified on December 21, 2004. The vendor issued a partial fix on February 22, 2007.

A local user can invoke crontab with specially crafted command line arguments to trigger a buffer overflow and execute arbitrary code with root privileges [CVE-2007-4621]. The vendor was notified on August 29, 2007.

A local user can invoke the dig application with a specially crafted '-y' command line TSIG key parameter to trigger an integer overflow in the dns_name_fromtext() function in the 'libdns.a' library and potentially execute arbitrary code with root privileges [CVE-2007-4622]. The vendor was notified on August 30, 2007. Only AIX version 5.2 is affected.

A local user can execute an ftp program macro with the '$' command to trigger a buffer overflow in the domacro() function and execute arbitrary code with root privileges [CVE-2007-4217]. The vendor was notified on August 15, 2007.

A local user can invoke the lquerypv command with a specially crafted '-V' command line parameter or the lqueryvg command with a specially crafted '-p' command line parameter to trigger a stack overflow and execute arbitrary code with root privileges [CVE-2007-4513]. The vendor was notified on August 21, 2007.

A local user can invoke the tftp command to trigger a buffer overflow and execute arbitrary code with root privileges.

Joshua J. Drake of VeriSign iDefense Labs reported the bellmail and ftp vulnerabilities. Alex DeLarge reported the swcons vulnerability via iDefense. Sean Larsson of VeriSign iDefense Labs reported the lquerypv and lqueryvg vulnerabilities. The dig vulnerability was reported via iDefense. IBM reported the tftp vulnerability.

Impact:   A local user can obtain root privileges on the target system.
Solution:   The vendor has issued interim fixes and APARs.

The fixes are included in the following service packs.

AIX 5.2 TL10 SP3
AIX 5.3 TL06 SP4

The IBM advisories area available at:

http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=3972
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=3973
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=3974
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=3975
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=3976
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=3977
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=3978
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=3979
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=3980
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=3981
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=3982
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=3983
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=3984
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=3985
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=3986
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=3987
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=3988
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=3989

Vendor URL:  www.ibm.com/ (Links to External Site)
Cause:   Boundary error

Message History:   None.


 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC