Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[UNIX] IBM AIX ctstrtcasd Local File Corruption Vulnerability

from [SecuriTeam] Network Security [Permanent Link]
Subject: [UNIX] IBM AIX ctstrtcasd Local File Corruption Vulnerability
Date: 1 Oct 2004 10:28:51 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  IBM AIX ctstrtcasd Local File Corruption Vulnerability
------------------------------------------------------------------------


SUMMARY

The ctstrtcasd program is a setuid root application, installed by default 
under newer versions of IBM AIX. It is part of the Reliable Scalable 
Cluster Technology (RSCT) system.  It is also installed with multiple IBM 
products under Linux, including IBM Tivoli System Automation, IBM Cluster 
Systems Management, IBM Hardware Management Console, and IBM General 
Parallel File System.
Local exploitation of an input validation vulnerability in the ctstrtcasd 
command included by default in multiple versions of IBM Corp. AIX could 
allow for the corruption or creation of arbitrary files anywhere on the 
system.

DETAILS

Vulnerable Systems:
 * iDEFENSE has confirmed the existence of this vulnerability in IBM AIX 
5.2.
Products shipping and installing these affected versions of RSCT as 
reported by IBM are as follows:
 * IBM AIX 5L Version 5.2 on pSeries
 * IBM AIX 5L Version 5.3 on pSeries
 * IBM AIX 5L Version 5.2, 5.3 on an i5/OS (iSeries) partition
 * IBM Tivoli System Automation (TSA) for Linux 1.1
 * IBM Tivoli System Automation (TSA) for Multiplatforms 1.2
 * IBM Cluster Systems Management (CSM) for Linux Version 1.4 (version 1.4 
and greater)
 * IBM Hardware Management Console (HMC) for pSeries Version 3
 * IBM Hardware Management Console (HMC) for pSeries Version 4
 * IBM General Parallel File System (GPFS) Version 2 Release 2 on Linux 
for xSeries and Linux for pSeries

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0828> 
CAN-2004-0828

If a user specifies a file with the -f option, the contents of that file 
will be overwritten with 65,535 bytes of application trace data. If the 
file doesn't exist, it will be created. The file creation/overwrite is 
done with root privileges, thus allowing an attacker to cause a denial of 
service condition by damaging the file system or by filling the drive with 
65,535 byte files.

All that is required to exploit this vulnerability is a local account. 
Exploitation does not require any knowledge of application internals, 
making exploitation trivial, even for unskilled attackers. It is not 
evident that privilege escalation is possible through abuse of this.

Workaround:
Only allow trusted users local access to security critical systems. 
Alternately, remove the setuid bit from ctstrtcasd using:
chmod 555 /usr/sbin/rsct/bin/ctstrtcasd

Vendor Status:
"Apply the workarounds or APARs as described [in the associated IBM 
Security Alert]. If you would like to receive AIX Security Advisories via 
email, please visit:  
<https://techsupport.services.ibm.com/server/pseries.subscriptionSvcs> 
https://techsupport.services.ibm.com/server/pseries.subscriptionSvcs";

Disclosure Timeline:
08/11/2004   Initial vendor notification
08/25/2004   Secondary vendor notification
08/26/2004   Vendor response
09/27/2004   Coordinated public disclosure


ADDITIONAL INFORMATION

The information has been provided by  
<mailto:customerservice@idefense.com> iDEFENSE.
The original article can be found at:  
<www.idefense.com/application/poi/display?id=144&type=vulnerabilities> 
www.idefense.com/application/poi/display?id=144&type=vulnerabilities



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [UNIX] IBM AIX ctstrtcasd Local File Corruption Vulnerability, SecuriTeam <=
Previous by Date:  [NT] HTTP Response Splitting and SQL Injection in Megabbs Forum, SecuriTeam
Next by Date:  [REVS] Analysis of Real Network's RealServer Remote Root Exploit, SecuriTeam
Previous by Thread:  [NT] HTTP Response Splitting and SQL Injection in Megabbs Forum, SecuriTeam
Next by Thread:  [REVS] Analysis of Real Network's RealServer Remote Root Exploit, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]