Several vulnerabilities in IBM AIX
Security provider iDefense has reported several security holes allowing attackers to obtain root privileges in various versions of IBM's Unix derivative AIX (Advanced Interactive eXecutive). Most of the vulnerabilities are based on buffer overflows in the bellmail, FTP client, lquerypv, lqueryvg, dig and crontab system tools or applications. In each case, the SUID bit is set. Attackers who are logged into the system can use specially crafted arguments to trigger a buffer overflow, write arbitrary code into the stack and execute it at root level when the tool or application is called. In addition, the swcons SUID tool allows arbitrary files to be accessed or created on a system.
AIX 5.2 and 5.3 are affected, as well as several previous versions, although some of the vulnerabilities no longer exist in version 5.3. According to iDefense, IBM has released interim fixes. As a workaround, iDefense recommends admins to delete the SUID bit in the affected binaries - in this case, however, only root will be able to utilise the tools.
- IBM AIX swcons Local Arbitrary File Access Vulnerability, iDefense advisory
- IBM AIX 5.2 crontab BSS Buffer Overflow Vulnerability, iDefense advisory
- IBM AIX dig dns_name_fromtext Integer Underflow Vulnerability, iDefense advisory
- IBM AIX lquerypg Stack Buffer Overflow Vulnerability, iDefense advisory
- IBM AIX lquerypv Stack Buffer Overflow Vulnerability, iDefense advisory
- IBM AIX ftp domacro Parameter Buffer Overflow Vulnerability, iDefense advisory
- IBM AIX bellmail Stack Buffer Overflow Vulnerability, iDefense advisory
(mba)