Security Incidents mailing list archives
Re: AIX writesrv on port 2401
From: Troy Bollinger <troy () austin ibm com>
Date: Fri, 31 Aug 2001 10:26:47 -0500
Quoting axess (axess () alldas de):
From my experience.watchin defaced AIX systems all day long andsee what port they have open i draw this conclustion. This has not been added to public notice or i would not have went into this discussion at all. There is no flaw in it. Just a way to determite an operating system. We are talking about script kiddies that want * to deface. I also refer to our database. 99% of all defaced AIX has this port open. Since this has been a long discussion about this i want to point out once again. No flaw / determite OS and after that exploit the AIX.
Old versions of AIX had a buffer overflow in writesrv (which does listen on port 2401). The patches were released back in 1997: Abstract: SECURITY: buffer overflow in writesrv daemon APAR 4.1: IX69168 APAR 4.2: IX69169 Both of these releases are no longer supported and the currently supported releases (v4.3 and v5) are not known to be vulnerable. If anyone has information to the contrary, please contact security-alert () austin ibm com. I'd also be curious to know which of the lsd (or other) exploits are being used to compromise AIX boxes. The ones I've seen are for fairly old vulnerabilities which have had patches issued. See MSS-OAR-E01-2001:339.1 at: http://www-1.ibm.com/services/continuity/recover1.nsf/Advisories for the list of patches that apply to the lsd exploits. -- Troy Bollinger <troy () austin ibm com> Network Security Analyst PGP keyid: 1024/0xB7783129 Troy's opinions are not IBM policy ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Re: AIX writesrv on port 2401 Troy Bollinger (Sep 01)