Bugtraq mailing list archives
Re: named-xfer hole on AIX (fwd)
From: troy () AUSTIN IBM COM (Troy A. Bollinger)
Date: Mon, 27 Sep 1999 17:24:50 -0500
Quoting Kyle Amon (amonk () GNUTEC COM):
On AIX, named-xfer has the following permissions... -r-sr-xr-- 1 root system 32578 Feb 18 1997 /usr/sbin/named-xfer which of course means that only root and members of the system group have execute permission but that (since the SUID bit is set) it executes as root even when run by non-root members of the system group. So, although one would have to already be a member of the system group (or manage to obtain such status) in order to exploit the problem described here, it's still a rather significant problem. And its much worse than the old sendmail -C problem which was still exploitable in AIX up until very recently when one was a member of the system group. The big difference here being that sendmail -C only let one read files they shouldn't have been able to read whereas this problem lets one write them :-).
AIX administrative groups (such as system) should only be assigned to users that are trusted to perform duties that ordinarily would require the root password. To put it another way, if you need to use named-xfer to get root from the system group, your cracker license is getting stale.
The problem is that named-xfer writes it's resulting zone file (when using the -f option) without (or at least before) relinquishing it's root privilege (and I doubt it ever relinquishes it since it doesn't really need it in the first place).
Nevertheless, this certainly isn't expected behavior. I've opened defect 287556 to fix this in the next release. -- Troy Bollinger troy () austin ibm com AIX Security Development security-alert () austin ibm com PGP keyid: 1024/0xB7783129 Troy's opinions are not IBM policy
Current thread:
- named-xfer hole on AIX (fwd) Kyle Amon (Sep 23)
- Re: named-xfer hole on AIX (fwd) Troy A. Bollinger (Sep 27)