From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 1 May 2006 13:20:56 +0200
Subject: [UNIX] IBM AIX rm_mlcache_file Local Race Condition
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20060501114145.5885C57F4@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
IBM AIX rm_mlcache_file Local Race Condition
------------------------------------------------------------------------
SUMMARY
A local race condition exist in IBM AIX rm_mlcache_file which could allow
a local user to overwrite arbitrary file.
DETAILS
Vulnerable Systems:
* IBM AIX 5.1
* IBM AIX 5.2
* IBM AIX 5.3
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1247>;
CVE-2006-1247
rm_mlcache_file shipped with IBM AIX is used to delete some cached files.
By default it is set with suid root bit.
rm_mlcache_file contains a race condition when processing temporary files
which allows a local attacker to overwrite arbitrary files. Attackers can
launch attacks by running the program directly, or waiting till root user
runs it. Successful exploitation may result in data loss or DoS,
specifically depending on the overwritten file.
Workaround:
Remove the execution bit from rm_mlcache_file temporarily:
# chmod 000 /usr/bin/rm_mlcache_file
Vendor Status:
The vendor has released the following APAR patches to fix the
vulnerability:
* APAR number for AIX 5.1.0: IY82866
* APAR number for AIX 5.2.0: IY82285
* APAR number for AIX 5.3.0: IY82357
AIX 5 APAR patch can be downloaded at:
<http://www.ibm.com/servers/eserver/support/unixservers/aixfixes.html>;
http://www.ibm.com/servers/eserver/support/unixservers/aixfixes.html
The temporary patch for the vulnerability can be downloaded at:
<ftp://aix.software.ibm.com/aix/efixes/security/rm_mlcache_file_ifix.tar.Z>; ftp://aix.software.ibm.com/aix/efixes/security/rm_mlcache_file_ifix.tar.Z
ADDITIONAL INFORMATION
The original article can be found at:
<http://www.nsfocus.com/english/homepage/research/0603.htm>;
http://www.nsfocus.com/english/homepage/research/0603.htm
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
