The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


[SNS Advisory No.46]IBM AIX dtprintinfo Buffer Overflow Vulnerability


<< Previous INDEX Search src / Print Next >> 
Date: Tue, 30 Oct 2001 17:54:40 +0900
From: "[email protected]" <snsadv@lac.co.jp.>
To: [email protected]
Subject: [SNS Advisory No.46]IBM AIX dtprintinfo Buffer Overflow Vulnerability

----------------------------------------------------------------------
SNS Advisory No.46
IBM AIX dtprintinfo Buffer Overflow Vulnerability

Problem first discovered: Fri, 05 Oct 2001
Published: Tue, 30 Oct 2001
----------------------------------------------------------------------

Overview:
  A buffer overflow vulnerability was found in /usr/dt/bin/dtprintinfo 
  program attached to IBM AIX. Local malicious users could execute 
  arbitrary codes with root privileges.

Problem Description:
  dtprintinfo included with IBM AIX is a program for opening the CDE
  Print Manager window. This program is normally installed as SUID
  root.

  "-session" option can be used in dtprintinfo to put client back to
  its original desktop state by loading session file.  If a designated
  session filename is an unusually long string of characters, 
  dtprintinfo will result in buffer overflow.

  Properly exploited, a local malicious attacker could execute 
  arbitrary codes with root privileges.

Tested OS:
  IBM AIX 4.3.3

Solution:
  This security issue was previously reported to IBM Co. IBM
  released an advisory including an EMERGENCY FIX (efix) on October 29.

 ftp://aix.software.ibm.com/aix/efixes/security/CDE_libDtSvc_efix.tar.Z

  Additionally, the Official Fix will be made available soon.

Workarounds:
  The following is a workaround to minimize the impact of this problem.

  * Remove SUID bit from dtprintinfo.


Discovered by:
  Noboru Yoshinaga (LAC) [email protected]
  ARAI Yuu         (LAC) [email protected]

Disclaimer:
  All information in these advisories are subject to change without any
  advanced notices neither mutual consensus, and each of them is released
  as it is. LAC Co.,Ltd. is not responsible for any risks of occurrences
  caused by applying those information. 

References
  Archive of this advisory(in preparation now):
  http://www.lac.co.jp/security/english/snsadv_e/46_e.html

------------------------------------------------------------------
Secure Net Service(SNS) Security Advisory <snsadv@lac.co.jp.>
Computer Security Laboratory, LAC  http://www.lac.co.jp/security/

<< Previous INDEX Search src / Print Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей 		Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру