Re: AIX dtaction and HOME vulnerability

[troy () AUSTIN IBM COM (Bollinger)]

-----BEGIN PGP SIGNED MESSAGE-----

Georgi Guninski wrote:
> Under AIX 4.2 (probably others) /usr/dt/bin/dtaction does not handle
> properly the HOME environment variable and that spawns a root shell. A lot
> of other X programs have the same problem and /bin/X11/xlock is well known
> to be exploitable.
> Tested on AIX 4.2 box.
>
> SOLUTION: #chmod -s /usr/dt/bin/dtaction /bin/X11/xlock
>  OR apply patches

xlock fixes:
  AIX 4.1 - IX68190
  AIX 4.2 - IX68191
    The 4.2 fix is not available yet.  There's a temporary fix at:
      ftp://testcase.software.ibm.com/aix/fromibm/xlock.overflow_fix.aix4.tar

dtaction fixes:
  I haven't been able to get a *root* shell out of this exploit yet.
  The code uses "setreuid(getuid(), getuid(), getuid());" just inside
  main().  However, there are definite buffer overflow bugs being
  exploited in libDtSvc.a to run arbitrary code off the stack ;-).
  There's a temporary fix for this one at:
      ftp://testcase.software.ibm.com/aix/fromibm/dtaction.security.tar.Z

Checksums for both temporary fixes are given in the README in each tar
file.


- --
+--------------  I do not speak for IBM!  -----------------+
|Troy Bollinger             |                    92CBR600F2|
|AIX Security Development   |           troy () austin ibm com|
+----------------------------------------------------------+

-----BEGIN PGP SIGNATURE-----
Version: 2.7.1

iQCVAwUBM54wXwsPbaL1YgqvAQE4fAP8DI5KwEa4MXLhlr4AOkbk69zoN63v/Gnb
kB6rXpzB4nu3cvCcyd+YHfhuIQfQ5ApN2nmNvjk3OkzMCuQVzZXslxKZFcsQmx8T
WTNkcLyokBqsFrYzoTKyUAzApdbTP7MG7Viu4eDDA4gagyw0ycfoMoglD02DmvGA
7QOfnl+Vy2M=
=S5qh
-----END PGP SIGNATURE-----