Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[UNIX] IBM AIX chdev Local Format String Vulnerability

from [SecuriTeam] Network Security [Permanent Link]
Subject: [UNIX] IBM AIX chdev Local Format String Vulnerability
Date: 17 Feb 2005 19:29:27 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  IBM AIX chdev Local Format String Vulnerability
------------------------------------------------------------------------


SUMMARY

The chdev program is "a setuid root application, installed by default 
under multiple versions of IBM AIX, that facilitates the changing of 
device characteristics". Local exploitation of a format string 
vulnerability in the chdev command included by default in multiple 
versions of IBM Corp.'s AIX operating system could allow for arbitrary 
code execution as the root user.

DETAILS

Vulnerable Systems:
 * IBM AIX version 5.2

The vulnerability specifically exists due to an improperly used formatted 
printing function. When provided with an incorrect argument (argv[1]) that 
contains a format string, the format string will be fed into a formatted 
printing function, and the user supplied format string will be evaluated, 
allowing for a malicious user to examine stack memory and write to 
arbitrary memory locations. With a properly crafted string, this can lead 
to the execution of arbitrary code.

Analysis:
This vulnerability can only be exploited by a local user who has been 
granted access to the "system" group. Successful exploitation leads to 
root-level access.

Due to the nature of the vulnerability, information leakage is trivial and 
aids the attacker in exploitation.

Workaround:
Only allow trusted users local access to security critical systems. Only 
allow trusted system administrators access to the "system" group. 
Alternately, remove the setuid bit from chdev using chmod u-s 
/usr/sbin/chdev.

Vendor response:
The vendor has not released a patch for this issue, however, the following 
details have been published:  
<http://www-1.ibm.com/support/docview.wss?uid=isg1IY67455> 
http://www-1.ibm.com/support/docview.wss?uid=isg1IY67455

In addition, a security advisory will be posted at the following site:  
<https://techsupport.services.ibm.com/server/pseries.subscriptionSvcs?mode=1> 
https://techsupport.services.ibm.com/server/pseries.subscriptionSvcs?mode=1

Please note that a free signup is required to access the security 
advisory.

Disclosure Timeline:
12/21/2004 - Initial vendor notification
01/07/2005 - Initial vendor response
02/07/2005 - Coordinated public disclosure


ADDITIONAL INFORMATION

The information has been provided by  
<mailto:customerservice@idefense.com> iDEFENSE.
The original article can be found at:  
<http://www.idefense.com/application/poi/display?type=vulnerabilities> 
http://www.idefense.com/application/poi/display?type=vulnerabilities



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [UNIX] IBM AIX chdev Local Format String Vulnerability, SecuriTeam <=
Previous by Date:  [REVS] Blind Injection in MySQL Databases (via BENCHMARK), SecuriTeam
Next by Date:  [REVS] The Misuse of RC4 in Microsoft Word and Excel, SecuriTeam
Previous by Thread:  [REVS] Blind Injection in MySQL Databases (via BENCHMARK), SecuriTeam
Next by Thread:  [REVS] The Misuse of RC4 in Microsoft Word and Excel, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]