Re: AIX dtaction and HOME vulnerability

Bollinger (troy@AUSTIN.IBM.COM)
Tue, 10 Jun 1997 23:58:08 -0500

-----BEGIN PGP SIGNED MESSAGE-----

Georgi Guninski wrote:
>
>
> Under AIX 4.2 (probably others) /usr/dt/bin/dtaction does not handle
> properly the HOME environment variable and that spawns a root shell. A lot
> of other X programs have the same problem and /bin/X11/xlock is well known
> to be exploitable.
> Tested on AIX 4.2 box.
>
> SOLUTION: #chmod -s /usr/dt/bin/dtaction /bin/X11/xlock
> OR apply patches
>

xlock fixes:
AIX 4.1 - IX68190
AIX 4.2 - IX68191
The 4.2 fix is not available yet. There's a temporary fix at:
ftp://testcase.software.ibm.com/aix/fromibm/xlock.overflow_fix.aix4.tar

dtaction fixes:
I haven't been able to get a *root* shell out of this exploit yet.
The code uses "setreuid(getuid(), getuid(), getuid());" just inside
main(). However, there are definite buffer overflow bugs being
exploited in libDtSvc.a to run arbitrary code off the stack ;-).
There's a temporary fix for this one at:
ftp://testcase.software.ibm.com/aix/fromibm/dtaction.security.tar.Z

Checksums for both temporary fixes are given in the README in each tar
file.

- --
+-------------- I do not speak for IBM! -----------------+
|Troy Bollinger | 92CBR600F2|
|AIX Security Development | troy@austin.ibm.com|
+----------------------------------------------------------+

-----BEGIN PGP SIGNATURE-----
Version: 2.7.1

iQCVAwUBM54wXwsPbaL1YgqvAQE4fAP8DI5KwEa4MXLhlr4AOkbk69zoN63v/Gnb
kB6rXpzB4nu3cvCcyd+YHfhuIQfQ5ApN2nmNvjk3OkzMCuQVzZXslxKZFcsQmx8T
WTNkcLyokBqsFrYzoTKyUAzApdbTP7MG7Viu4eDDA4gagyw0ycfoMoglD02DmvGA
7QOfnl+Vy2M=
=S5qh
-----END PGP SIGNATURE-----