Re: AIX writesrv on port 2401

[Troy Bollinger <troy () austin ibm com>]

Quoting axess (axess () alldas de):
> > From my experience.watchin defaced AIX systems all day long and
> see what port they have open i draw this conclustion.
> This has not been added to public notice or i would not have went into
> this discussion at all. There is no flaw in it.
> Just a way to determite an operating system.
> We are  talking about script kiddies that want * to deface.
> I also refer to our database. 99% of all defaced AIX has this port open.
> Since this has been a long discussion about this i want to point out
> once again. No flaw / determite OS and after that exploit the AIX.

Old versions of AIX had a buffer overflow in writesrv (which does listen
on port 2401).  The patches were released back in 1997:

  Abstract:  SECURITY: buffer overflow in writesrv daemon
  APAR 4.1:  IX69168
  APAR 4.2:  IX69169

Both of these releases are no longer supported and the currently
supported releases (v4.3 and v5) are not known to be vulnerable.  If
anyone has information to the contrary, please contact
security-alert () austin ibm com.

I'd also be curious to know which of the lsd (or other) exploits are
being used to compromise AIX boxes.  The ones I've seen are for fairly
old vulnerabilities which have had patches issued.  See
MSS-OAR-E01-2001:339.1 at:

  http://www-1.ibm.com/services/continuity/recover1.nsf/Advisories

for the list of patches that apply to the lsd exploits.

-- 
Troy Bollinger <troy () austin ibm com>
Network Security Analyst
PGP keyid: 1024/0xB7783129
Troy's opinions are not IBM policy

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com