[SNS Advisory No.46]IBM AIX dtprintinfo Buffer Overflow Vulnerability

From: snsadvat_private
Date: Tue Oct 30 2001 - 00:54:40 PST

Next message: Chen Jun: "Ikonboard Cookie filter vulnerability"

Previous message: Chen Jun: "LB5000 Cookie filter vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

----------------------------------------------------------------------
SNS Advisory No.46
IBM AIX dtprintinfo Buffer Overflow Vulnerability

Problem first discovered: Fri, 05 Oct 2001
Published: Tue, 30 Oct 2001
----------------------------------------------------------------------

Overview:
---------
  A buffer overflow vulnerability was found in /usr/dt/bin/dtprintinfo 
  program attached to IBM AIX. Local malicious users could execute 
  arbitrary codes with root privileges.

Problem Description:
--------------------
  dtprintinfo included with IBM AIX is a program for opening the CDE
  Print Manager window. This program is normally installed as SUID
  root.

  "-session" option can be used in dtprintinfo to put client back to
  its original desktop state by loading session file.  If a designated
  session filename is an unusually long string of characters, 
  dtprintinfo will result in buffer overflow.

  Properly exploited, a local malicious attacker could execute 
  arbitrary codes with root privileges.

Tested OS:
----------
  IBM AIX 4.3.3

Solution:
---------
  This security issue was previously reported to IBM Co. IBM
  released an advisory including an EMERGENCY FIX (efix) on October 29.

 ftp://aix.software.ibm.com/aix/efixes/security/CDE_libDtSvc_efix.tar.Z

  Additionally, the Official Fix will be made available soon.

Workarounds:
------------
  The following is a workaround to minimize the impact of this problem.

  * Remove SUID bit from dtprintinfo.

Discovered by:
--------------
  Noboru Yoshinaga (LAC) yosinagaat_private
  ARAI Yuu         (LAC) y.araiat_private

Disclaimer:
-----------
  All information in these advisories are subject to change without any
  advanced notices neither mutual consensus, and each of them is released
  as it is. LAC Co.,Ltd. is not responsible for any risks of occurrences
  caused by applying those information. 

References
----------
  Archive of this advisory(in preparation now):
  http://www.lac.co.jp/security/english/snsadv_e/46_e.html

------------------------------------------------------------------
Secure Net Service(SNS) Security Advisory <snsadvat_private>
Computer Security Laboratory, LAC  http://www.lac.co.jp/security/

Next message: Chen Jun: "Ikonboard Cookie filter vulnerability"
Previous message: Chen Jun: "LB5000 Cookie filter vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Oct 30 2001 - 10:09:27 PST