Bugtraq mailing list archives
Re: AIX dtaction and HOME vulnerability
From: troy () AUSTIN IBM COM (Bollinger)
Date: Tue, 10 Jun 1997 23:58:08 -0500
-----BEGIN PGP SIGNED MESSAGE----- Georgi Guninski wrote:
Under AIX 4.2 (probably others) /usr/dt/bin/dtaction does not handle properly the HOME environment variable and that spawns a root shell. A lot of other X programs have the same problem and /bin/X11/xlock is well known to be exploitable. Tested on AIX 4.2 box. SOLUTION: #chmod -s /usr/dt/bin/dtaction /bin/X11/xlock OR apply patches
xlock fixes: AIX 4.1 - IX68190 AIX 4.2 - IX68191 The 4.2 fix is not available yet. There's a temporary fix at: ftp://testcase.software.ibm.com/aix/fromibm/xlock.overflow_fix.aix4.tar dtaction fixes: I haven't been able to get a *root* shell out of this exploit yet. The code uses "setreuid(getuid(), getuid(), getuid());" just inside main(). However, there are definite buffer overflow bugs being exploited in libDtSvc.a to run arbitrary code off the stack ;-). There's a temporary fix for this one at: ftp://testcase.software.ibm.com/aix/fromibm/dtaction.security.tar.Z Checksums for both temporary fixes are given in the README in each tar file. - -- +-------------- I do not speak for IBM! -----------------+ |Troy Bollinger | 92CBR600F2| |AIX Security Development | troy () austin ibm com| +----------------------------------------------------------+ -----BEGIN PGP SIGNATURE----- Version: 2.7.1 iQCVAwUBM54wXwsPbaL1YgqvAQE4fAP8DI5KwEa4MXLhlr4AOkbk69zoN63v/Gnb kB6rXpzB4nu3cvCcyd+YHfhuIQfQ5ApN2nmNvjk3OkzMCuQVzZXslxKZFcsQmx8T WTNkcLyokBqsFrYzoTKyUAzApdbTP7MG7Viu4eDDA4gagyw0ycfoMoglD02DmvGA 7QOfnl+Vy2M= =S5qh -----END PGP SIGNATURE-----
Current thread:
- Re: AIX dtaction and HOME vulnerability Bollinger (Jun 10)