From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 1 Aug 2007 09:32:18 +0200
Subject: [UNIX] IBM AIX capture Terminal Control Sequence Buffer Overflow Vulnerability
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20070801080527.1E2415791@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
IBM AIX capture Terminal Control Sequence Buffer Overflow Vulnerability
------------------------------------------------------------------------
SUMMARY
The
<http://publib.boulder.ibm.com/infocenter/pseries/v5r3/topic/com.ibm.aix.cmds/doc/aixcmds1/capture.htm>; capture program is a setuid root application, installed by default under multiple versions of IBM AIX, that allows terminal sessions to be dumped to a file.
Local exploitation of a stack-based buffer overflow vulnerability in the
'capture' program included with IBM Corp.'s AIX operating system allows an
attacker to execute arbitrary code with root privileges.
DETAILS
Vulnerable Systems:
* AIX version 5.3 with service pack 6.
* (Previous versions may also be affected).
The vulnerability exists within the code that parses terminal control
sequences. A long series of control sequences will trigger an exploitable
stack-based buffer overflow.
Exploitation of this vulnerability results in the execution of arbitrary
code with root privileges.
The capture program is setuid root, and executable by any user with local
access. The vulnerability is a stack-based buffer overflow, and is
trivially exploitable.
Workaround:
Removing the setuid bit from the binary will prevent exploitation, but may
make the program unusable by non-root users.
IBM Corp. has addressed this vulnerability by releasing interim fixes.
More information can be found via the Bulletins tab of IBM's Subscription
Service for UNIX and Linux servers:
<http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=1>;
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=1
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3333>;
CVE-2007-3333
Disclosure Timeline:
* 06/05/2007 - Initial vendor notification
* 06/08/2007 - Initial vendor response
* 07/26/2007 - Coordinated public disclosure
ADDITIONAL INFORMATION
The information has been provided by iDefense.
The original article can be found at:
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=570>;
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=570
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
