From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 1 Aug 2007 10:06:36 +0200
Subject: [UNIX] IBM AIX pioout Arbitrary Library Loading Vulnerability
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20070801080150.3501D5777@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
IBM AIX pioout Arbitrary Library Loading Vulnerability
------------------------------------------------------------------------
SUMMARY
The
<http://publib.boulder.ibm.com/infocenter/pseries/v5r3/topic/com.ibm.aix.cmds/doc/aixcmds4/pioout.htm>; pioout program is a setuid root application, installed by default under multiple versions of IBM AIX, that is used to interface with the printer driver.
Local exploitation of an arbitrary library loading vulnerability in the
'pioout' program, as included with IBM Corp.'s AIX operating system,
allows an attacker to execute arbitrary code with root privileges.
DETAILS
Vulnerable Systems:
* AIX version 5.3 with service pack 6.
* (Previous versions may also be affected).
Exploitation of this vulnerability results in the execution of arbitrary
code with root privileges.
The pioout program is setuid root, and executable by any user with local
access. To exploit the vulnerability, all an attacker has to do is create
a shared library that executes a shell.
Workaround:
Removing the setuid bit from the binary will prevent exploitation, but may
make the program unusable by non-root users.
Vendor Status:
IBM Corp. has addressed this vulnerability by releasing interim fixes.
More information can be found via the Bulletins tab of IBM's Subscription
Service for UNIX and Linux servers.
<http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=1>;
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=1
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4003>;
CVE-2007-4003
Disclosure Timeline:
* 06/05/2007 - Initial vendor notification
* 06/08/2007 - Initial vendor response
* 07/26/2007 - Coordinated public disclosure
ADDITIONAL INFORMATION
The information has been provided by iDefense.
The original article can be found at:
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=569>;
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=569
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
