Date: 1 Oct 2004 10:28:51 +0200
From: SecuriTeam <support@securiteam.com.>
To: [email protected]Subject: [UNIX] IBM AIX ctstrtcasd Local File Corruption Vulnerability
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
IBM AIX ctstrtcasd Local File Corruption Vulnerability
------------------------------------------------------------------------
SUMMARY
The ctstrtcasd program is a setuid root application, installed by default
under newer versions of IBM AIX. It is part of the Reliable Scalable
Cluster Technology (RSCT) system. It is also installed with multiple IBM
products under Linux, including IBM Tivoli System Automation, IBM Cluster
Systems Management, IBM Hardware Management Console, and IBM General
Parallel File System.
Local exploitation of an input validation vulnerability in the ctstrtcasd
command included by default in multiple versions of IBM Corp. AIX could
allow for the corruption or creation of arbitrary files anywhere on the
system.
DETAILS
Vulnerable Systems:
* iDEFENSE has confirmed the existence of this vulnerability in IBM AIX
5.2.
Products shipping and installing these affected versions of RSCT as
reported by IBM are as follows:
* IBM AIX 5L Version 5.2 on pSeries
* IBM AIX 5L Version 5.3 on pSeries
* IBM AIX 5L Version 5.2, 5.3 on an i5/OS (iSeries) partition
* IBM Tivoli System Automation (TSA) for Linux 1.1
* IBM Tivoli System Automation (TSA) for Multiplatforms 1.2
* IBM Cluster Systems Management (CSM) for Linux Version 1.4 (version 1.4
and greater)
* IBM Hardware Management Console (HMC) for pSeries Version 3
* IBM Hardware Management Console (HMC) for pSeries Version 4
* IBM General Parallel File System (GPFS) Version 2 Release 2 on Linux
for xSeries and Linux for pSeries
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0828>;
CAN-2004-0828
If a user specifies a file with the -f option, the contents of that file
will be overwritten with 65,535 bytes of application trace data. If the
file doesn't exist, it will be created. The file creation/overwrite is
done with root privileges, thus allowing an attacker to cause a denial of
service condition by damaging the file system or by filling the drive with
65,535 byte files.
All that is required to exploit this vulnerability is a local account.
Exploitation does not require any knowledge of application internals,
making exploitation trivial, even for unskilled attackers. It is not
evident that privilege escalation is possible through abuse of this.
Workaround:
Only allow trusted users local access to security critical systems.
Alternately, remove the setuid bit from ctstrtcasd using:
chmod 555 /usr/sbin/rsct/bin/ctstrtcasd
Vendor Status:
"Apply the workarounds or APARs as described [in the associated IBM
Security Alert]. If you would like to receive AIX Security Advisories via
email, please visit:
<https://techsupport.services.ibm.com/server/pseries.subscriptionSvcs>
https://techsupport.services.ibm.com/server/pseries.subscriptionSvcs"
Disclosure Timeline:
08/11/2004 Initial vendor notification
08/25/2004 Secondary vendor notification
08/26/2004 Vendor response
09/27/2004 Coordinated public disclosure
ADDITIONAL INFORMATION
The information has been provided by
<mailto:customerservice@idefense.com.> iDEFENSE.
The original article can be found at:
<www.idefense.com/application/poi/display?id=144&type=vulnerabilities>
www.idefense.com/application/poi/display?id=144&type=vulnerabilities
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
