SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   OS (UNIX)  >   IBM AIX Vendors:   IBM
IBM AIX 'enq' Command Lets Local Users Delete Arbitrary Files
SecurityTracker Alert ID:  1021290
SecurityTracker URL:  http://securitytracker.com/id/1021290
CVE Reference:   CVE-2008-5385   (Links to External Site)
Updated:  Dec 10 2008
Original Entry Date:  Nov 27 2008
Impact:   Denial of service via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 6.1
Description:   A vulnerability was reported in IBM AIX. A local user can delete arbitrary files on the target system.

If a print queue is defined in '/etc/qconfig', a local user can invoke '/usr/bin/enq' to remove arbitrary files on the target system.

The vendor has assigned APARs IZ34785, IZ34481, and IZ33088 to this vulnerability.

Impact:   A local user can delete arbitrary files on the target system.
Solution:   The vendor has issued the following fixes.

6.1.0: http://www.ibm.com/support/docview.wss?uid=isg1IZ34785
6.1.1: http://www.ibm.com/support/docview.wss?uid=isg1IZ34481
6.1.2: http://www.ibm.com/support/docview.wss?uid=isg1IZ33088

The fixes are also included in AIX 6.1 TL0 Service Pack 7, AIX 6.1 TL1 Service Pack 3, and AIX 6.1 TL2 Service Pack 1.

The vendor's advisory is available at:

http://aix.software.ibm.com/aix/efixes/security/aix61_advisory.asc

Vendor URL:  aix.software.ibm.com/aix/efixes/security/aix61_advisory.asc (Links to External Site)
Cause:   Access control error

Message History:   None.


 Source Message Contents

Subject:  IBM AIX

IBM SECURITY ADVISORY

First Issued: Wed Nov 26 09:16:12 CST 2008
===============================================================================
VULNERABILITY SUMMARY

VULNERABILITY: AIX 6.1 multiple security vulnerabilities

PLATFORMS: AIX 6.1

SOLUTION: Apply the fix as described below.

THREAT: A local attacker may gain elevated privileges.

CVE Number: n/a

The most recent version of this document is available at:

http://aix.software.ibm.com/aix/efixes/security/aix61_advisory.asc

===============================================================================
DETAILED INFORMATION

I. DESCRIPTION

There are multiple vulnerabilities in AIX 6.1:

a) If the netcd daemon is running, a buffer overflow is created in
the setuid root program /usr/sbin/ndp, resulting in privilege
escalation.

Track with the following APAR numbers: IZ35181 IZ35170 IZ35209.

b) There is a buffer overflow in the privileged command
/usr/sbin/autoconf6, resulting privilege escaltion if RBAC (role
based access control) is in use and a user has the
aix.network.config.tcpip authorization..

Track with the following APAR numbers: IZ34753 IZ34393 IZ30231.

c) The privileged command /usr/bin/enq can remove any file on the
system if a print queue is defined in /etc/qconfig.
.
Track with the following APAR numbers: IZ34785 IZ34481 IZ33088.

d) The privileged command /usr/bin/crontab grants elevated
privileges to the editor if a user has the aix.system.config.cron
authorization.

Track with the following APAR numbers: IZ34783 IZ34478 IZ30248.

The following files are vulnerable:

/usr/sbin/ndp
/usr/sbin/autoconf6
/usr/bin/enq
/usr/bin/crontab

II. PLATFORM VULNERABILITY ASSESSMENT

To determine if your system is vulnerable, execute the following
command:

lslpp -L bos.net.tcp.client \
bos.adt.prof \
bos.rte.libc \
bos.rte.printers \
bos.rte.cron

The following fileset levels are vulnerable:

AIX Fileset Lower Level Upper Level
------------------------------------------------
bos.net.tcp.client 6.1.0.0 6.1.0.6
bos.adt.prof 6.1.0.0 6.1.0.7
bos.rte.libc 6.1.0.0 6.1.0.7
bos.rte.printers 6.1.0.0 6.1.0.1
bos.rte.cron 6.1.0.0 6.1.0.0

bos.net.tcp.client 6.1.1.0 6.1.1.2
bos.adt.prof 6.1.1.0 6.1.1.2
bos.rte.libc 6.1.1.0 6.1.1.2
bos.rte.printers 6.1.1.0 6.1.1.0
bos.rte.cron 6.1.1.0 6.1.1.1

bos.net.tcp.client 6.1.2.0 6.1.2.0
bos.adt.prof 6.1.2.0 6.1.2.0
bos.rte.libc 6.1.2.0 6.1.2.0


III. SOLUTIONS

A. APARS

IBM has assigned the following APARs to these problems:

AIX Level APAR numbers Availability
---------------------------------------------------
6.1.0 IZ35181 IZ34753 IZ34785 IZ34783 Now
6.1.1 IZ35170 IZ34393 IZ34481 IZ34478 Now
6.1.2 IZ35209 IZ30231 IZ33088 IZ30248 Now

Subscribe to the APARs here:

http://www.ibm.com/support/docview.wss?uid=isg1IZ35181
http://www.ibm.com/support/docview.wss?uid=isg1IZ34753
http://www.ibm.com/support/docview.wss?uid=isg1IZ34785
http://www.ibm.com/support/docview.wss?uid=isg1IZ34783

http://www.ibm.com/support/docview.wss?uid=isg1IZ35170
http://www.ibm.com/support/docview.wss?uid=isg1IZ34393
http://www.ibm.com/support/docview.wss?uid=isg1IZ34481
http://www.ibm.com/support/docview.wss?uid=isg1IZ34478

http://www.ibm.com/support/docview.wss?uid=isg1IZ35209
http://www.ibm.com/support/docview.wss?uid=isg1IZ30231
http://www.ibm.com/support/docview.wss?uid=isg1IZ33088
http://www.ibm.com/support/docview.wss?uid=isg1IZ30248

By subscribing, you will receive periodic email alerting you
to the status of the APAR, and a link to download the fix once
it becomes available.

The fixes are also available in the following service packs:

AIX 6.1 TL0 Service Pack 7
AIX 6.1 TL1 Service Pack 3
AIX 6.1 TL2 Service Pack 1

B. FIXES

Fixes are available. The fixes can be downloaded from:

http://aix.software.ibm.com/aix/efixes/security/aix61_fix.tar
ftp://aix.software.ibm.com/aix/efixes/security/aix61_fix.tar

The links above are to a tar file containing this signed
advisory, fix packages, and PGP signatures for each package.
The fixes below include prerequisite checking. This will
enforce the correct mapping between the fixes and AIX
Technology Levels.

AIX Level Fix (*.U)
-------------------------------------------------------------------
6.1.0 bos.adt.prof.6.1.0.8.U
bos.net.tcp.client.6.1.0.7.U
bos.rte.cron.6.1.0.1.U
bos.rte.libc.6.1.0.8.U
bos.rte.printers.6.1.0.2.U
6.1.1 bos.adt.prof.6.1.1.3.U
bos.net.tcp.client.6.1.1.3.U
bos.rte.cron.6.1.1.2.U
bos.rte.libc.6.1.1.3.U
bos.rte.printers.6.1.1.1.U
6.1.2 bos.adt.prof.6.1.2.1.U
bos.net.tcp.client.6.1.2.1.U
bos.rte.libc.6.1.2.0.U

To extract the fixes from the tar file:

tar xvf aix61_fix.tar
cd aix61_fix

Verify you have retrieved the fixes intact:

The checksums below were generated using the "csum -h SHA1"
(sha1sum) command and are as follows:

csum -h SHA1 (sha1sum) filename
------------------------------------------------------------------
166b1f5808b8cf74ecfd2b9a2793f3e7bbb08365 bos.adt.prof.6.1.0.8.U
22a8597cf4ee92004f80e41d13bdfc0d6cf4afb0 bos.adt.prof.6.1.1.3.U
aca884ff7e34d5eb556b958e8aa18013d7895f5d bos.adt.prof.6.1.2.1.U
d12bcdc6083fb41dbe550929dd05b30099d10690 bos.net.tcp.client.6.1.0.7.U
b1c84d681760ad7eba6e7582b0ce8a683b1fb206 bos.net.tcp.client.6.1.1.3.U
334542307bfd4980bb4fca9fd787d46eb65eb2f2 bos.net.tcp.client.6.1.2.1.U
1901b56c0aeb54e1ef7054bcc4e8c54073fb3129 bos.rte.cron.6.1.0.1.U
bb3a956f1cc70150d1f99a08138348addea9a158 bos.rte.cron.6.1.1.2.U
150fdd6fd8fc3fd856390c78a979560efb708d7f bos.rte.libc.6.1.0.8.U
b3370f80430cbb3a9ca3c1cb33da32085cfb8e3e bos.rte.libc.6.1.1.3.U
0f04ac1b9eec74550fd7ff51dfd762eff55e1f0d bos.rte.libc.6.1.2.0.U
3126a986c1ead766bf4e91b8585f9a191ed9cfa5 bos.rte.printers.6.1.0.2.U
92aff483c92ec8490bad59f7bc3f0f55f3c00cf7 bos.rte.printers.6.1.1.1.U

To verify the sums, use the text of this advisory as input to
csum or sha1sum. For example:

csum -h SHA1 -i Advisory.asc
sha1sum -c Advisory.asc

These sums should match exactly. The PGP signatures in the tar
file and on this advisory can also be used to verify the
integrity of the fixes. If the sums or signatures cannot be
confirmed, contact IBM AIX Security and describe the
discrepancy at the following address:

security-alert@austin.ibm.com

C. FIX INSTALLATION

IMPORTANT: If possible, it is recommended that a mksysb backup
of the system be created. Verify it is both bootable and
readable before proceeding.

To preview a fix installation:

installp -a -d fix_name -p all # where fix_name is the name of the
# fix package being previewed.
To install a fix package:

installp -a -d fix_name -X all # where fix_name is the name of the
# fix package being installed.

IV. WORKAROUNDS

a) Stop the netcd daemon and remove the setuid and setgid bits
from /usr/sbin/ndp:

stopsrc -s netcd
chmod 555 /usr/sbin/ndp

b) Remove the aix.network.config.tcpip authorization from user roles.

c) Remove the setuid and setgid bits from /usr/bin/enq:

chmod 555 /usr/bin/enq

d) Remove the aix.system.config.cron authorization from user roles.

V. OBTAINING FIXES

AIX security fixes can be downloaded from:

http://aix.software.ibm.com/aix/efixes/security

AIX fixes can be downloaded from:

http://www.ibm.com/eserver/support/fixes/fixcentral/main/pseries/aix

NOTE: Affected customers are urged to upgrade to the latest
applicable Technology Level and Service Pack.

VI. CONTACT INFORMATION

If you would like to receive AIX Security Advisories via email,
please visit:

http://www.ibm.com/systems/support

and click on the "My notifications" link.

To view previously issued advisories, please visit:

http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd

Comments regarding the content of this announcement can be
directed to:

security-alert@austin.ibm.com

To obtain the PGP public key that can be used to communicate
securely with the AIX Security Team you can either:

A. Download the key from our web page:

http://www.ibm.com/systems/resources/systems_p_os_aix_security_pgpkey.txt

B. Download the key from a PGP Public Key Server. The key ID is:

0xADA6EB4D

Please contact your local IBM AIX support center for any
assistance.

eServer is a trademark of International Business Machines
Corporation. IBM, AIX and pSeries are registered trademarks of
International Business Machines Corporation. All other trademarks
are property of their respective holders.

VII. ACKNOWLEDGMENTS

IBM discovered and fixed these vulnerabilities as part of its
commitment to secure the AIX operating system.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (AIX)

iD8DBQFJLXD5P9Qud62m600RAjm2AJ973tmjPi5zTwU+VP1BjROUYgt55wCfU3o6
88bMCxMWGwQXOM9cBbb/MEk=
=oIQr
-----END PGP SIGNATURE-----
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC